The Google Threat Intelligence Group (GTIG) is currently delving into a series of cyberattacks linked to a hacker exploiting a significant vulnerability in the Windows Server Update Service (WSUS). This investigation comes in light of a recent proof of concept that has surfaced, highlighting an untrusted data vulnerability within WSUS, a service integral to managing Microsoft product updates.
Escalating Threat Activity
Since last week, the threat landscape has intensified, with GTIG researchers noting an uptick in activity surrounding the exploitation of CVE-2025-59287. This newly identified threat actor, designated as UNC6512, has been observed targeting multiple organizations. According to GTIG, the hacker has gained initial access to compromised systems, conducted reconnaissance on affected hosts, and exfiltrated sensitive data.
This alarming trend corroborates earlier findings from security firms like Huntress Labs, which reported similar exploitation activities across at least four customer environments late last week. Despite Microsoft releasing a patch earlier this month to address this vulnerability, the update has proven ineffective, prompting further scrutiny from cybersecurity experts.
Research and Response
Researchers from HawkTrace have also released a proof-of-concept related to the vulnerability, while Eye Security recently detected suspicious activities through endpoint detection and response telemetry. Their findings led to the replication of the proof of concept, allowing them to alert various security partners and government agencies about the risks associated with exposing WSUS to the internet.
Eye Security’s analysis suggests that multiple variants may be targeting the vulnerability, as indicated by a comparison of tactics, techniques, and procedures (TTPs) with information disclosed by Huntress. “At least two adversaries have been exploiting it since last Friday,” a spokesperson from Eye Security remarked.
Malicious Activities Uncovered
Meanwhile, researchers at Palo Alto Networks Unit 42 have confirmed that exploitation is occurring through the use of malicious PowerShell commands. These commands are being employed to gather intelligence, map internal domain structures, and identify high-value user accounts. Shadowserver has reported approximately 2,800 instances exposed to this flaw, although researchers are still working to ascertain the exact number of vulnerable systems.
The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging WSUS users to promptly implement the patch and adhere to Microsoft’s mitigation guidance. CISA has communicated that, as of the weekend, there is no evidence of federal agencies being impacted, but they encourage external organizations to report any suspicious activities.
“CISA’s operational collaboration with Microsoft and our stakeholders continues around CVE-2025-59287 to ensure timely mitigation guidance and protect critical systems,” stated Nick Andersen, executive assistant director for the Cybersecurity Division. “Cybersecurity is not static—it’s about constant coordination, rapid response, and shared action.”
