A critical vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287, is now being actively exploited in the wild, despite Microsoft releasing an emergency patch. The flaw, which allows unauthenticated remote code execution, affects Windows Server versions 2012 through 2025 and stems from an insecure deserialization issue. Google's Threat Intelligence Group confirmed it is tracking a new threat actor, UNC6512, exploiting this vulnerability across multiple organizations.
Following initial compromise, the attackers perform reconnaissance on the host and network, executing commands and exfiltrating stolen data to remote servers. Although the number of internet-facing WSUS servers is limited, researchers note that exploitation is indiscriminate and the potential downstream impact is catastrophic. This is because a compromised WSUS server could be used to push malicious updates to all connected enterprise computers.
Microsoft's initial Patch Tuesday fix was incomplete, requiring an emergency update days later. This sequence of events has drawn criticism, as an incomplete patch can create a false sense of security while providing a roadmap for attackers. One researcher noted that exploitation attempts are already widespread, with hundreds of thousands of attempts observed, and the rate is expected to increase. The situation underscores the severe risk posed by vulnerabilities in core update services and the critical need for effective patches.
Read more...