“Beginning round 2025-10-23 23:34 UTC, Huntress noticed menace actors focusing on WSUS cases publicly uncovered on their default ports (8530/TCP and 8531/TCP),” the corporate wrote in a weblog submit Friday. “Attackers leveraged uncovered WSUS endpoints to ship specifically crafted requests (a number of POST calls to WSUS internet providers) that triggered a deserialization RCE towards the replace service.”
The exploit exercise resulted within the WSUS employee course of spawning command immediate and PowerShell cases. A base64-encoded payload was downloaded and executed in PowerShell with the purpose of discovering servers on the community and gathering person info which was then despatched again to a distant attacker-controlled URL.
The Huntress report contains detailed indicators of compromise, forensic artifacts, and detection guidelines within the open Sigma SIEM detection format.
