A critical Windows Server Update Services (WSUS) vulnerability (CVE-2025-59287) is being actively exploited across multiple organizations. Google's threat intelligence team identified attacks by threat actor UNC6512, with approximately 100,000 exploitation attempts detected in the past week. The flaw affects Windows Server versions 2012-2025 and allows unauthenticated remote code execution. Microsoft's initial October patch failed to fully address the vulnerability, requiring an emergency fix. Attackers are targeting publicly exposed WSUS instances, performing reconnaissance, and exfiltrating system information, with potential for pushing malicious updates to downstream enterprise systems.
Table of contents
'Catastrophic' potential for downstream victimsSort: