Scans for Port 8530/8531 (TCP). Likely related to WSUS Vulnerability CVE-2025-59287, (Sun, Nov 2nd)

(520) 462-0516

Scans for Port 8530/8531 (TCP). Likely related to WSUS Vulnerability CVE-2025-59287, (Sun, Nov 2nd)

[Scans for Port 8530/8531 (TCP). Likely related to WSUS Vulnerability CVE-2025-59287](/forums/diary/Scans+for+Port+85308531+TCP+Likely+related+to+WSUS+Vulnerability+CVE202559287/32440/)=========================================================================================================================================================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32440 ‘Share on Facebook’)* [](http://twitter.com/share?text=Scans%20for%20Port%208530%2F8531%20%28TCP%29.%20Likely%20related%20to%20WSUS%20Vulnerability%20CVE-2025-59287&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32440&via=SANS_ISC ‘Share on Twitter’) **Published** : 2025-11-02. **Last Updated** : 2025-11-02 17:50:48 UTC **by** [Johannes Ullrich](https://plus.google.com/101587262224166552564?rel=author) (Version: 1) [0 comment(s)](/diary/Scans+for+Port+85308531+TCP+Likely+related+to+WSUS+Vulnerability+CVE202559287/32440/#comments) Sensors reporting firewall logs detected a significant increase in scans for port 8530/TCP and 8531/TCP over the course of last week. Some of these reports originate from Shadowserver, and likely other researchers, but there are also some that do not correspond to known research-related IP addresses.![graph showing an increase in scans for port 8531 over the last few days.](https://isc.sans.edu/diaryimages/images/Screenshot%202025-11-02%20at%2012_42_35%E2%80%AFPM.png)CVE-2025-59287 is exploited by connecting to affected WSUS servers on port 8530/TCP (non-TLS) or 8531/TCP (TLS). Once connected, an attacker could exploit the vulnerability to execute scripts on a vulnerable server. Typically, an attacker begins by conducting reconnaissance and subsequently follows up with a network compromise.Sufficient details have been made public about the attack to suggest that any exposed vulnerable servers should be considered compromised at this point.– Johannes B. Ullrich, Ph.D. , Dean of Research, [SANS.edu](https://sans.edu) [Twitter](https://jbu.me/164)-| Keywords: [WSUS](/tag.html?tag=WSUS)[0 comment(s)](/diary/Scans+for+Port+85308531+TCP+Likely+related+to+WSUS+Vulnerability+CVE202559287/32440/#comments)

Related Tags:
Topic: Zero Day

NAICS: 551 – Management Of Companies And Enterprises

NAICS: 55 – Management Of Companies And Enterprises

NAICS: 54 – Professional

Scientific

Technical Services

NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Blog: SANS Internet Storm Center

Exploitation of Remote Services

Associated Indicators:

Threat Intel Solutions

Scans for Port 8530/8531 (TCP). Likely related to WSUS Vulnerability CVE-2025-59287, (Sun, Nov 2nd)

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us