ShadowPad Malware Actively Exploits Critical WSUS Vulnerability for Full System Access

A serious cybersecurity threat has come to light as attackers are now using the ShadowPad malware to exploit a major flaw in Windows Server Update Services (WSUS). The vulnerability, identified as CVE-2025-59287, allows attackers to run commands on a WSUS server without needing any login. Security researchers have confirmed that this flaw is already being abused in real attacks. This makes the situation urgent for all organisations using WSUS.

WSUS plays an important role in many companies because it manages Windows updates for multiple computers. Since it is a trusted part of the network, any compromise of WSUS can quickly spread to other systems. If an attacker gains control of WSUS, they can push harmful updates or move deeper into the network. This makes the vulnerability extremely dangerous.

The problem lies in the way WSUS handles certain data sent to its system. Attackers can create a specially crafted request that triggers unsafe deserialization inside WSUS. This mistake leads to remote code execution, giving the attacker full SYSTEM-level access. With such high privileges, they can completely take over the server.

Once attackers break into the WSUS server using this flaw, they are deploying the ShadowPad backdoor. ShadowPad is a highly advanced malware known for persistence, stealth, and modular features. Attackers are using built-in Windows tools to download and install it, making the attack harder to detect. After installation, ShadowPad gives long-term remote control to the intruder.

Reports show that many WSUS servers exposed on the internet are being scanned and targeted. Attackers often search for servers running on the default WSUS ports and exploit them quickly. The vulnerability was publicly revealed in October 2025, and active exploitation started shortly after. This rapid shift from disclosure to attack highlights how serious the flaw is.

Cybersecurity agencies worldwide have issued warnings due to the scale and impact of the threat. They have stressed that organisations must take this situation seriously and respond immediately. Any unpatched WSUS server is considered a high-risk target. The combination of easy exploitation and high-value access makes it extremely dangerous.

Organisations are advised to patch their WSUS servers with Microsoft’s emergency update as soon as possible. If patching is not immediately possible, restricting network access to WSUS ports is strongly recommended. Monitoring server activity for unusual commands or connections can also help detect a compromise early. Treating the server as potentially infected until proven safe is a smart approach.

In conclusion, the WSUS vulnerability CVE-2025-59287 is being actively used by attackers to deploy the ShadowPad malware. This is a critical situation because WSUS is a central part of many networks. Immediate patching, strict access control, and careful monitoring are essential. Taking action now can prevent attackers from gaining full control of an organisation’s systems.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news