“Starting around 2025-10-23 23:34 UTC, Huntress observed threat actors targeting WSUS instances publicly exposed on their default ports (8530/TCP and 8531/TCP),” the company wrote in a blog post Friday. “Attackers leveraged exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services) that triggered a deserialization RCE against the update service.”
The exploit activity resulted in the WSUS worker process spawning command prompt and PowerShell instances. A base64-encoded payload was downloaded and executed in PowerShell with the goal of discovering servers on the network and gathering user information which was then sent back to a remote attacker-controlled URL.
The Huntress report includes detailed indicators of compromise, forensic artifacts, and detection rules in the open Sigma SIEM detection format.
