WSUS abused to drop ShadowPad — patch first, ask questions after.
Threat actors are abusing a freshly patched WSUS flaw (CVE-2025-59287) to push ShadowPad malware and gain full SYSTEM access. Reports note attackers chaining living-off-the-land tools (PowerShell, certutil, curl) and DLL side-loading to land ShadowPad after initial WSUS abuse. Mitigation is straightforward: apply Microsoft’s out-of-band fix, lock down WSUS, and monitor for suspicious PowerShell from wsusservice.exe/w3wp.exe. Federal agencies have been ordered to patch; enterprises should treat this as urgent given the central role of WSUS in Windows fleets.
A critical WSUS vulnerability (CVE-2025-59287) is being used in the wild to deploy ShadowPad — a modular backdoor loved by espionage actors. The playbook is depressingly efficient: hijack WSUS, run SYSTEM-level PowerShell, and then side-load DLLs to light up ShadowPad. When your patch server becomes the attacker, every endpoint downstream is a potential stepping stone.
The fix exists — Microsoft shipped an out-of-band patch — and CISA has waved the big red flag for government networks. For everyone else, the message is the same: patch, prune, and watch those logs. Look for Base64-heavy PowerShell, unexpected network calls from WSUS processes, and any new services or scheduled tasks that weren’t there yesterday.
To-do list for IT:
• Patch WSUS now and review who can touch it.
• Restrict WSUS to management networks; enforce TLS/EPA where applicable.
• Hunt for ShadowPad footprints and recent DLL side-loading events.
• If you use downstream WSUS, check each tier for tampering.
It’s not glamorous, but it’s vital: when the update pipeline is trusted by design, hardening WSUS is one of the highest-leverage moves you can make.