Sensors reporting firewall logs detected a significant increase in scans for port 8530\/TCP and 8531\/TCP over the course of last week. Some of these reports originate from Shadowserver, and likely other researchers, but there are also some that do not correspond to known research-related IP addresses.<\/p>\n
![\"graph](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/Screenshot%25202025-11-02%2520at%252012_42_35%25E2%2580%25AFPM.png?ssl=1\")
<\/p>\n
CVE-2025-59287 is exploited by connecting to affected WSUS servers on port 8530\/TCP\u00a0(non-TLS) or 8531\/TCP (TLS). Once connected, an attacker could exploit the vulnerability to execute scripts on a vulnerable server. Typically, an attacker begins by conducting reconnaissance and subsequently follows up with a network compromise.<\/p>\n
Sufficient details have been made public about the attack to suggest that any exposed vulnerable servers should be considered compromised at this point.<\/p>\n
\u00a0<\/p>\n
— (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t
\nJohannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu<\/a>
\nTwitter<\/a>|<\/p>\n
\n
<\/BR><\/p>\n