Sensors reporting firewall logs detected a significant increase in scans for port 8530/TCP and 8531/TCP over the course of last week. Some of these reports originate from Shadowserver, and likely other researchers, but there are also some that do not correspond to known research-related IP addresses.

CVE-2025-59287 is exploited by connecting to affected WSUS servers on port 8530/TCP (non-TLS) or 8531/TCP (TLS). Once connected, an attacker could exploit the vulnerability to execute scripts on a vulnerable server. Typically, an attacker begins by conducting reconnaissance and subsequently follows up with a network compromise.

Sufficient details have been made public about the attack to suggest that any exposed vulnerable servers should be considered compromised at this point.

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|