ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access
Summary:
Last month, Microsoft addressed a critical deserialization flaw in Windows Server Update Services (WSUS) that could enable actors to achieve remote code execution with system privileges. Tracked as CVE-2025-59287, the vulnerability is currently under active exploitation, with actors leveraging the flaw to gain access to WSUS instances and deploy malicious payloads.
A recent intrusion was identified by AhnLab SEcurity intelligence Center (ASEC), where actors targeted vulnerable Windows servers with WSUS enabled for initial access. After gaining an initial foothold, the actors used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). From here, the actors proceeded to execute legitimate Windows utilities curl[.]exe and certutil[.]exe, which would then be used to contact an external server and download/install ShadowPad.
ShadowPad is a modular backdoor that is assessed to be privately sold to Chinese state-backed APT groups. The backdoor is designed to embed itself into legitimate software via DLL sideloading, allowing it to persist and evade security defenses.
“ShadowPad rarely operates as a standalone executable. Instead, it relies on DLL sideloading. In the latest case, ShadowPad is executed through an EXE and DLL file pair. When the legitimate executable (ETDCtrlHelper.exe) runs, the malicious DLL (ETDApix.dll) acts as the ShadowPad loader, operating entirely in memory,” notes ASEC in its new blog post.
Once executed, ShadowPad acts as a remote access trojan, enabling actors to run malicious commands and control the targeted system remotely.
Security Officer Comments:
A proof-of-concept exploit code for CVE-2025-59287 was released on October 22, 2025, making it easier for actors to abuse the flaw in attacks in the wild. Given that CVE-2025-59287 enables remote code execution with system privileges, successful exploitation could allow actors to gain full control over vulnerable systems, disable security tools, add new local users, and deploy payloads like ShadowPad for persistent access. Furthermore, since many organizations rely on WSUS to manage and distribute Microsoft product updates across a fleet of systems, the compromise of one WSUS server could pave the way for lateral movement and complete network compromise.
Suggested Corrections:
To mitigate the risk, security managers in organizations using WSUS should immediately implement the following measures:
Link(s):
https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html
Last month, Microsoft addressed a critical deserialization flaw in Windows Server Update Services (WSUS) that could enable actors to achieve remote code execution with system privileges. Tracked as CVE-2025-59287, the vulnerability is currently under active exploitation, with actors leveraging the flaw to gain access to WSUS instances and deploy malicious payloads.
A recent intrusion was identified by AhnLab SEcurity intelligence Center (ASEC), where actors targeted vulnerable Windows servers with WSUS enabled for initial access. After gaining an initial foothold, the actors used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). From here, the actors proceeded to execute legitimate Windows utilities curl[.]exe and certutil[.]exe, which would then be used to contact an external server and download/install ShadowPad.
ShadowPad is a modular backdoor that is assessed to be privately sold to Chinese state-backed APT groups. The backdoor is designed to embed itself into legitimate software via DLL sideloading, allowing it to persist and evade security defenses.
“ShadowPad rarely operates as a standalone executable. Instead, it relies on DLL sideloading. In the latest case, ShadowPad is executed through an EXE and DLL file pair. When the legitimate executable (ETDCtrlHelper.exe) runs, the malicious DLL (ETDApix.dll) acts as the ShadowPad loader, operating entirely in memory,” notes ASEC in its new blog post.
Once executed, ShadowPad acts as a remote access trojan, enabling actors to run malicious commands and control the targeted system remotely.
Security Officer Comments:
A proof-of-concept exploit code for CVE-2025-59287 was released on October 22, 2025, making it easier for actors to abuse the flaw in attacks in the wild. Given that CVE-2025-59287 enables remote code execution with system privileges, successful exploitation could allow actors to gain full control over vulnerable systems, disable security tools, add new local users, and deploy payloads like ShadowPad for persistent access. Furthermore, since many organizations rely on WSUS to manage and distribute Microsoft product updates across a fleet of systems, the compromise of one WSUS server could pave the way for lateral movement and complete network compromise.
Suggested Corrections:
To mitigate the risk, security managers in organizations using WSUS should immediately implement the following measures:
- Apply Microsoft’s latest security update addressing CVE-2025-59287
- Review WSUS server exposure and access controls:
- Ensure only Microsoft Update servers can access WSUS.
- Consider blocking inbound traffic on TCP ports 8530 and 8531 for all other sources.
- Audit for suspicious activity, including:
- execution history of PowerShell, certutil.exe, and curl.exe
- network connection logs for anomalous patterns
https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html