Windows Server flaw targeted by hackers to spread malware - here's what we know

1. Pro
2. Security

Windows Server flaw targeted by hackers to spread malware - here's what we know News By Sead Fadilpašić published 24 November 2025

We know who's using it and which malware it's spreading - but can it be stopped?

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

• Chinese state-sponsored actors are exploiting CVE-2025-59287, a critical WSUS flaw enabling unauthenticated RCE with SYSTEM privileges
• AhnLab reports attackers using PowerCat and certutil/curl to deploy ShadowPad, a PlugX successor backdoor
• Likely targets include government, defense, telecom, and critical infrastructure sectors

Chinese state-sponsored threat actors are reportedly actively exploiting a vulnerability in the Microsoft Windows Server Update Services (WSUS), to spread malware, experts have warned.

As part of its October 2025 Patch Tuesday cumulative update, Microsoft addressed CVE-2025-59287, a “deserialization of untrusted data” flaw found in Windows Server Update Service (WSUS). The flaw was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers, too.

• Amazon Black Friday deals are live: here are our picks!

Soon after, a publicly available proof-of-concept (PoC) code was spotted, prompting Microsoft to release an out-of-band (OOB) security update, as well.

You may like

• US Government orders patching of critical Windows Server security issue
• CISA warns high-severity Windows SMB flaw now exploited in attacks, so update now
• CISA warns Motex Landscope Endpoint Manager has a worrying security flaw, so patch now

Used for ShadowPad deployment

Now, security researchers from AhnLab Security Intelligence Center (ASEC) said they’re seeing attacks against unpatched endpoints, hinting that it’s the work of the Chinese.

"The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access," the report reads. "They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl."

ShadowPad is reportedly a successor to PlugX, a modular backdoor which was “widely used” by Chinese state-sponsored hacking collectives. It is deployed on target endpoints via DLL side-loading, through a legitimate binary named ETDCtrlHelper.exe.

We don’t know how many companies were targeted through WSUS, where they are, or in which industries they operate. However, if it’s the work of the Chinese, it’s either against the government, military and defense, telecommunications, or critical infrastructure.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

"After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers," AhnLab said. "This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact."

WSUS allows IT admins to manage patching computers within their network.

Via The Hacker News

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Malware Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more US Government orders patching of critical Windows Server security issue    CISA warns high-severity Windows SMB flaw now exploited in attacks, so update now    CISA warns Motex Landscope Endpoint Manager has a worrying security flaw, so patch now    New malware exploits trusted Windows drivers to get around security systems - here's how to stay safe    Chinese hackers target European diplomats with Windows zero-day flaw    Worrying WatchGuard VPN bug could let hackers hijack your devices - here's how to stay safe    Latest in Security Black Friday shopping scams are on the rise - experts warn many new domains could be dodgy, here's what to look for    Cox Enterprises hit by Oracle data breach - but it won't name who carried out the attack    Iberia tells customers it was hit by a major security breach    Google security experts say Gainsight hacks may have left hundreds of companies affected    Experts tried to get AI to create malicious security threats - but what it did next was a surprise even to them    Perplexity responds to Comet browser vulnerability claims, argues "fake news"    Latest in News New DragonFire laser shoots down high-speed drones with incredible accuracy    Sam Altman and Jony Ive AI device is now in its prototype phase and its 'vibe' is defined    Where to watch Blossoms Shanghai online — for *FREE*    Fed up with sluggish folders in Windows 11? Microsoft says it's fixing this    Disney's new Olaf robot is so real, it'll give you chills    ChatGPT’s new Shopping Research tool compares products for you    LATEST ARTICLES

1. 1New DragonFire laser shoots down high-speed drones with incredible accuracy
2. 2GMKtec's next mini PC will be the first to feature Intel Panther Lake - and some other seriously impressive specs
3. 3Experts tried to get AI to create malicious security threats - but what it did next was a surprise even to them
4. 4Sam Altman and Jony Ive AI device is now in its prototype phase and its 'vibe' is defined
5. 5What is the release date for Pluribus episode 5 on Apple TV?