Attackers Exploit WSUS RCE Vulnerability to Deploy ShadowPad Backdoor

A critical flaw in Microsoft’s Windows Server Update Services (WSUS) servers has exposed enterprise networks to potential attackers, allowing them to gain full system control. Security researchers have discovered a sophisticated campaign leveraging this vulnerability to deploy the ShadowPad backdoor.

How do attackers use the flaw to deploy ShadowPad?

This security flaw (CVE-2025-59287) is a critical, unauthenticated remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), caused by unsafe deserialization within its web service component. It enables attackers to run arbitrary code with SYSTEM-level privileges. Microsoft addressed the issue with emergency out-of-band patches released on October 23–24, 2025.

The attack chain begins when threat actors exploit the WSUS vulnerability to gain SYSTEM-level access on targeted servers without authentication. After establishing control, they use tools like PowerCat to create a remote shell, then download and decode ShadowPad components using legitimate utilities such as curl.exe and certutil.exe. These components are deployed through DLL side-loading that allows the backdoor to run stealthily in memory, maintain persistence via scheduled tasks and registry changes, and communicate with command-and-control servers over disguised HTTP/HTTPS traffic.

Why ShadowPad poses a serious threat?

ShadowPad is a highly advanced, modular backdoor associated with state-sponsored threat groups that provides attackers with stealthy and persistent access to compromised systems. It is typically deployed through DLL side-loading, where a legitimate executable loads a malicious DLL into memory, while an encrypted configuration file manages its operations.

Once installed, ShadowPad ensures persistence through scheduled tasks, registry modifications, and process injection into trusted applications, and it communicates with command-and-control servers over HTTP or HTTPS using traffic patterns that mimic normal browser activity to evade detection.

Best practices to boost defense

To protect against these attacks, organizations should prioritize applying Microsoft’s emergency patches for CVE‑2025‑59287 as soon as possible. Administrators should also isolate WSUS servers from untrusted networks and configure them to communicate only with official Microsoft update sources.

Additionally, organizations must ensure continuous monitoring for suspicious activity (such as unexpected use of tools like curl.exe, certutil.exe, or PowerShell scripts). It’s also recommended to implement application whitelisting to block unauthorized DLL side-loading. Security teams should also boost defenses through network segmentation, reviewing scheduled tasks and registry changes, and deploying advanced threat detection solutions to reduce the risk of persistence and lateral movement.