Windows WSUS CVE-2025-59287 Exploited to Harvest Sensitive Data
Category:Vulnerabilities / Exploitation
Sophos CTU researchers reported active exploitation of a remote code execution flaw (CVE-2025-59287) in Microsoft WSUS. Attackers used a Base64-encoded PowerShell command to exfiltrate Active Directory domain users, interface configurations, and IP data via webhook.site. The campaign began October 24, 2025, impacting U.S. universities, manufacturing, and healthcare sectors.
CORTEX Protocol Intelligence Assessment
Business Impact: Exploitation of WSUS could expose enterprise configuration data and user credentials, enabling lateral movement within domain environments. Technical Context: Attackers abused PowerShell through IIS worker processes, exploiting deserialization vulnerabilities to harvest sensitive system data via outbound HTTP POSTs.
Strategic Intelligence Guidance
- Apply Microsoft’s October 23 out-of-band patch immediately.
- Restrict WSUS ports 8530/8531 from public access.
- Review logs for PowerShell or cmd.exe invocation anomalies.
- Segment administrative systems and enforce least privilege on domain controllers.
CVEs
Vendors
Targets
Intelligence Source: Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data - Sophos News | Oct 30, 2025