Windows Server flaw targeted by hackers to spread malware - here's what we know

1. Pro
2. Security

Windows Server flaw targeted by hackers to spread malware - here's what we know News By Sead Fadilpašić published 24 November 2025

We know who's using it and which malware it's spreading - but can it be stopped?

Comments (0) ()

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Shutterstock)

• Chinese state-sponsored actors are exploiting CVE-2025-59287, a critical WSUS flaw enabling unauthenticated RCE with SYSTEM privileges
• AhnLab reports attackers using PowerCat and certutil/curl to deploy ShadowPad, a PlugX successor backdoor
• Likely targets include government, defense, telecom, and critical infrastructure sectors

Chinese state-sponsored threat actors are reportedly actively exploiting a vulnerability in the Microsoft Windows Server Update Services (WSUS), to spread malware, experts have warned.

As part of its October 2025 Patch Tuesday cumulative update, Microsoft addressed CVE-2025-59287, a “deserialization of untrusted data” flaw found in Windows Server Update Service (WSUS). The flaw was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers, too.

• Amazon Black Friday deals are live: here are our picks!

Soon after, a publicly available proof-of-concept (PoC) code was spotted, prompting Microsoft to release an out-of-band (OOB) security update, as well.

You may like

• US Government orders patching of critical Windows Server security issue
• CISA warns high-severity Windows SMB flaw now exploited in attacks, so update now
• CISA warns Motex Landscope Endpoint Manager has a worrying security flaw, so patch now

Used for ShadowPad deployment

Now, security researchers from AhnLab Security Intelligence Center (ASEC) said they’re seeing attacks against unpatched endpoints, hinting that it’s the work of the Chinese.

"The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access," the report reads. "They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl."

ShadowPad is reportedly a successor to PlugX, a modular backdoor which was “widely used” by Chinese state-sponsored hacking collectives. It is deployed on target endpoints via DLL side-loading, through a legitimate binary named ETDCtrlHelper.exe.

We don’t know how many companies were targeted through WSUS, where they are, or in which industries they operate. However, if it’s the work of the Chinese, it’s either against the government, military and defense, telecommunications, or critical infrastructure.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

"After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers," AhnLab said. "This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact."

WSUS allows IT admins to manage patching computers within their network.

Via The Hacker News

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS Malware Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more US Government orders patching of critical Windows Server security issue    CISA warns high-severity Windows SMB flaw now exploited in attacks, so update now    CISA warns Motex Landscope Endpoint Manager has a worrying security flaw, so patch now    New malware exploits trusted Windows drivers to get around security systems - here's how to stay safe    Chinese hackers target European diplomats with Windows zero-day flaw    Worrying WatchGuard VPN bug could let hackers hijack your devices - here's how to stay safe    Latest in Security Cox Enterprises hit by Oracle data breach - but it won't name who carried out the attack    Iberia tells customers it was hit by a major security breach    Google security experts say Gainsight hacks may have left hundreds of companies affected    Perplexity responds to Comet browser vulnerability claims, argues "fake news"    D-Link routers under threat from dangerous flaw - here's how to stay safe    Second-order prompt injection can turn AI into a malicious insider    Latest in News Windows Server flaw targeted by hackers to spread malware - here's what we know    OnePlus just dropped its own Apple Watch SE rival with the affordable Watch Lite    How to watch Bigg Boss 19 online for *FREE*    Valve dashes dreams of $500 Steam Machine with new hint on pricing    OnePlus 15R launch date confirmed – and it's arriving alongside two other devices    DJI explains what its looming US ban means for your drones    LATEST ARTICLES

1. 1Windows Server flaw targeted by hackers to spread malware - here's what we know
2. 2Need to protect your family online? This Aura plan can help, and it's on sale this Black Friday
3. 3Cox Enterprises hit by Oracle data breach - but it won't name who carried out the attack
4. 4165 million Americans suffered a data breach in 2025 – this $2 solution could stop you from being next
5. 5NordLocker is one of the most trusted security platforms out there - and its cloud storage offering has some great Black Friday deals