How do I detect the critical WSUS vulnerability CVE-2025-59287?

Home » Cybersecurity » How do I detect the critical WSUS vulnerability CVE-2025-59287?

Table of Contents

Is my unpatched Windows Server at risk of ShadowPad malware infection?
Understanding the Vulnerability Mechanism
The ShadowPad Attack Chain
Immediate Auditing and Remediation

Is my unpatched Windows Server at risk of ShadowPad malware infection?

Immediate action is required to secure Windows Server environments against CVE-2025-59287. Malicious actors are actively exploiting this critical Remote Code Execution (RCE) vulnerability to distribute ShadowPad malware. This flaw resides within the Windows Server Update Services (WSUS) component. It carries a CVSS severity score of 9.8, indicating a catastrophic risk level. If your organization manages updates via WSUS and missed the October 2025 security patches, your network integrity is likely compromised.

Understanding the Vulnerability Mechanism

The core issue stems from improper deserialization of untrusted data within WSUS. This architectural flaw permits unauthorized attackers to execute arbitrary code remotely. They do not need valid credentials to breach the system. Microsoft addressed this exposure on October 14, 2025, with standard security updates. Recognizing the severity, they released an additional Out-of-Band update on October 23, 2025. These patches are the only barrier preventing total system takeover.

The ShadowPad Attack Chain

Attackers now weaponize this vulnerability to deploy ShadowPad, a modular backdoor historically linked to state-sponsored hacking groups. The infection process follows a specific, detectable pattern:

Initial Access: The attacker targets a Windows server running an unpatched instance of WSUS.
Shell Execution: Upon successful exploitation, they deploy PowerCat. This open-source, PowerShell-based utility grants the attacker command-line shell access (CMD).
Payload Delivery: Using legitimate system binaries—specifically certutil.exe and curl.exe—the attacker downloads and installs the ShadowPad malware.

Immediate Auditing and Remediation

Applying the patch now prevents future infections but does not remove existing threats. Systems patched after October 2025 may already host dormant malware. Administrators must treat late-patched servers as potentially compromised.

Conduct a thorough forensic audit focusing on these Indicators of Compromise (IoCs):

Process Execution: Review logs for unexpected usage of PowerShell, certutil.exe, or curl.exe, particularly those initiated by the WSUS service account.
Network Anomalies: Monitor outbound traffic for unusual connection patterns or communication with unknown IPs.
File System: Scan for unauthorized binaries masquerading as system updates or logs in temporary directories.

Failure to verify these indicators leaves the ShadowPad backdoor active, granting attackers long-term persistence within your infrastructure.