{"id":8110,"date":"2025-11-01T10:04:18","date_gmt":"2025-11-01T10:04:18","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/11\/01\/hackers-exploiting-windows-server-update-services-flaw-to-steal-sensitive-data-from-organizations\/"},"modified":"2025-11-01T10:04:18","modified_gmt":"2025-11-01T10:04:18","slug":"hackers-exploiting-windows-server-update-services-flaw-to-steal-sensitive-data-from-organizations","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/11\/01\/hackers-exploiting-windows-server-update-services-flaw-to-steal-sensitive-data-from-organizations\/","title":{"rendered":"Hackers Exploiting Windows Server Update Services Flaw to Steal Sensitive Data from Organizations"},"content":{"rendered":"<p>    Hackers Exploiting Windows Server Update Services Flaw to Steal Sensitive Data from Organizations<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Windows Server Update Services (WSUS) vulnerability is actively exploited in the wild. Criminals are using this vulnerability to steal sensitive data from organizations in various industries.<\/p>\n<p>The vulnerability, tracked as <a href=\"https:\/\/cybersecuritynews.com\/microsoft-october-2025-patch-tuesday\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-59287<\/a>, was patched by Microsoft on October 14, 2025, but attackers quickly began abusing it after proof-of-concept code became publicly available on GitHub.<\/p>\n<p>Sophos telemetry indicates that exploitation began on October 24, 2025, just hours after technical analysis and exploit code were released online.<\/p>\n<p>The threat actors targeted internet-facing WSUS servers in universities, technology companies, manufacturing firms, and healthcare organizations, primarily based in the United States.<\/p>\n<p>While Sophos has confirmed six incidents so far, security experts believe the actual number of compromised organizations is significantly higher.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Sophos researchers have identified real-world exploitation of a newly disclosed vulnerability in Windows Server Update Services (WSUS), where threat actors are harvesting sensitive data from organizations.<\/p>\n<p>\u2014 Sophos X-Ops (@SophosXOps) <a href=\"https:\/\/twitter.com\/SophosXOps\/status\/1983880992122097745?ref_src=twsrc%5Etfw\">October 30, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-how-the-attacks-unfold\"><strong>How the Attacks Unfold<\/strong><\/h2>\n<p>The exploitation leverages a critical deserialization bug in WSUS that allows unauthenticated remote code execution. When attackers target vulnerable servers, they inject Base64-encoded<a href=\"https:\/\/cybersecuritynews.com\/patchwork-apt-using-powershell-commands\/\" target=\"_blank\" rel=\"noreferrer noopener\"> PowerShell commands<\/a> through nested command processes running under IIS worker privileges.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj_MkGgiI7tY_Z4kPE0jcXXyNEXi5djpCybTAIvFpkzINQd4cDAp5Qir0k-IOmrSuJ9mCTHaFGqKL9mTDRl3vx5gOycUehXu_9flZxtZW0ESk5y6ojlJMuvxOwn68bAbwXXVXgU-uKr-TSEBqgn9O32ho9gHBCvipGBm6fnwroIguF9WRadO1GpIJZ1kx2F\/w640-h212\/WSUS2510-fig1.webp?ssl=1\" alt=\"\"><\/figure>\n<p>The malicious script executes silently on compromised systems, gathering valuable intelligence about targeted organizations.<\/p>\n<p>The harvested data includes external IP addresses and ports of vulnerable hosts, enumerated lists of Active Directory domain users, and detailed network interface configurations. This information is then exfiltrated to webhook.site URLs controlled by the attackers.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgRH6fqjv6tkjYvlDxbv2nH0xNpyANq1nBSus4JhmQP_Q78JgOVBwh5qt7M0W6nhGIdnQVj_55GathGxD0WQ1tp26EkAHBzhm9CAFjJrL9PZjmTAbr1QVTafOHNI6NYqhOSKvM-uGGPqlp2PawJjFb2x-DBdPwDEzHlScjI-CcgmtyLcDdxobcYRAreT-s_\/s16000\/WSUS2510-fig3.webp?ssl=1\" alt=\"\"><\/figure>\n<p>Sophos researchers <a href=\"https:\/\/news.sophos.com\/en-us\/2025\/10\/29\/windows-server-update-services-wsus-vulnerability-abused-to-harvest-sensitive-data\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">discovered<\/a> four unique webhook.site URLs associated with the attacks, with three linked to the platform\u2019s free service tier.<\/p>\n<p>By analyzing the request logs on two publicly accessible URLs, researchers observed that exploitation began at 02:53 UTC on October 24 and reached the maximum threshold of 100 requests by 11:32 UTC the same day.<\/p>\n<p>The rapid exploitation of this <a href=\"https:\/\/cybersecuritynews.com\/cisa-threat-detections-wsus-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerability<\/a> demonstrates how quickly threat actors move to weaponize newly disclosed flaws.<\/p>\n<p>The indiscriminate nature of the attacks suggests cybercriminals are scanning for exposed WSUS servers on the internet and exploiting them opportunistically rather than targeting specific organizations.<\/p>\n<p>According to Rafe Pilling, Director of <a href=\"https:\/\/cybersecuritynews.com\/threat-intelligence-for-businesses\/\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence<\/a> at Sophos, \u201cThis activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations.\u201d<\/p>\n<p>The stolen data could be used for reconnaissance, follow-up attacks, or sold to other malicious actors on underground marketplaces. Organizations running WSUS services should immediately apply <a href=\"https:\/\/cybersecuritynews.com\/microsoft-update-active-directory-sync\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft\u2019s security<\/a> patches and conduct thorough reviews of their network configurations.<\/p>\n<p>\u00a0Additionally, companies should identify any WSUS server interfaces exposed to the internet and restrict access to WSUS ports 8530 and 8531 only to systems that genuinely require connectivity.<\/p>\n<p>Security teams should review logs for signs of exploitation and implement network segmentation to prevent lateral movement if compromises are discovered.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/wsus-vulnerability-actively-exploited\/\">Hackers Exploiting Windows Server Update Services Flaw to Steal Sensitive Data from Organizations<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/wsus-vulnerability-actively-exploited\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Exploiting Windows Server Update Services Flaw to Steal Sensitive Data from Organizations Windows Server Update Services (WSUS) vulnerability is actively exploited in the wild. Criminals are using this vulnerability to steal sensitive data from organizations in various industries. The vulnerability, tracked as CVE-2025-59287, was patched by Microsoft on October 14, 2025, but attackers quickly [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648,395],"tags":[130],"class_list":["post-8110","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","category-windows","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8110"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=8110"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/8110\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=8110"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=8110"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=8110"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}