A critical remote code execution vulnerability in Microsoft’s Windows Server Update Service is being actively exploited by threat actors to deploy data-stealing malware that specifically targets cryptocurrency wallets. On October 24, 2025, the US Cybersecurity and Infrastructure Security Agency added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, signaling the severity and immediacy of the threat. The vulnerability carries a CVSS score of 9.8 out of 10, placing it in the highest severity category and making it one of the most dangerous security flaws disclosed in 2025. With Bitcoin trading above $111,000 and the cryptocurrency market at all-time highs, the timing of this exploit makes crypto holders and enterprise infrastructure particularly attractive targets.
The Exploit Mechanics
CVE-2025-59287 is a deserialization vulnerability in the Windows Server Update Service that allows unauthorized attackers to execute arbitrary code over a network without any authentication. The flaw exists in the GetCookie() endpoint of WSUS, where unsafe deserialization of AuthorizationCookie objects enables remote code execution with SYSTEM privileges, the highest permission level on a Windows machine. The root cause traces back to Microsoft’s use of BinaryFormatter, a serialization mechanism that the company itself deprecated and removed from .NET 9 in 2024 due to inherent security risks. Despite deprecating the technology, legacy components like WSUS continued to rely on it, creating the exact type of attack surface that security researchers had been warning about. Researchers MEOW and Markus Wulftange of CODE WHITE GmbH reported the vulnerability to Microsoft, which released its initial fix during the October 2025 Patch Tuesday. However, the patch proved insufficient, forcing Microsoft to issue an urgent out-of-band update on October 23 to comprehensively address the flaw across all supported Windows Server versions from 2012 through 2025.
Affected Systems
Cybersecurity firm Darktrace investigated two separate incidents involving US-based organizations where the vulnerability was exploited in real-world attacks. In the first case, a WSUS server belonging to a company in the Information and Communication sector began making unusual connections to webhook.site at approximately 3:55 AM on October 24, the very same day CISA added the flaw to its catalog. Attackers used legitimate tools including PowerShell and cURL to establish remote control of the server, a technique that makes the attack harder to detect because these tools are commonly used in normal administrative operations. By October 26, the compromised server connected to rare subdomains of workersdev, a service frequently abused by threat actors for command-and-control communications. The attackers then downloaded a legitimate security tool called Velociraptor, exploiting a vulnerable version to create a hidden communication tunnel back to their command infrastructure. The malicious activity continued through October 27, culminating in the deployment of Skuld Stealer, a data-stealing malware specifically designed to extract cryptocurrency wallet data, browser credentials, and sensitive system information.
The Mitigation Strategy
Organizations running Windows Server environments with WSUS enabled must take immediate action. The primary mitigation is applying Microsoft’s out-of-band security update KB5070883, which addresses the vulnerability across all supported server versions. A system reboot is required after installation, so administrators should plan for brief downtime. Beyond patching, organizations should restrict WSUS endpoints from public internet exposure. Cybersecurity firm Huntress noted that exploitation may be limited because WSUS is not commonly exposed to the internet, operating on ports 8530 and 8531. However, any WSUS server accessible from untrusted networks represents a critical risk. Network monitoring tools should be configured to flag unusual outbound connections from WSUS servers, particularly to services like webhook.site and rare subdomains of cloud platforms. Endpoint detection and response solutions should be tuned to identify suspicious PowerShell and cURL activity originating from WSUS server processes.
Lessons Learned
This incident highlights several broader security principles that the cryptocurrency industry should internalize. First, legacy code carries hidden risks. Microsoft deprecated BinaryFormatter for good reason, yet the component persisted in a critical infrastructure service for years. Organizations should audit their own systems for deprecated dependencies, especially in security-sensitive contexts. Second, the speed of exploitation after disclosure demonstrates that threat actors are monitoring security advisories as closely as defenders. The gap between Microsoft’s October 23 out-of-band patch and the start of active exploitation on October 24 was measured in hours, not days. Third, the use of legitimate tools like PowerShell and Velociraptor for malicious purposes underscores the importance of behavioral monitoring over simple signature-based detection. Security teams must understand what normal looks like for their WSUS infrastructure to identify anomalies effectively.
User Action Required
For cryptocurrency holders and enterprise administrators, the immediate actions are clear. Apply the out-of-band WSUS patch immediately across all Windows Server instances. Verify that WSUS ports 8530 and 8531 are not exposed to the public internet. Conduct a review of recent logs from WSUS servers for any connections to webhook.site, workersdev subdomains, or unusual PowerShell activity. If your organization uses WSUS and holds cryptocurrency assets, ensure that wallet credentials and seed phrases are stored separately from the corporate network on air-gapped devices. The Skuld Stealer malware is specifically designed to target crypto wallets, making any compromised WSUS server a direct threat to digital asset holdings. The Dutch NCSC has also confirmed active exploitation in the wild, with researchers from Eye Security documenting a sophisticated Base64 .NET payload that hides commands from standard logging mechanisms.
Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Always conduct your own research and consult with qualified cybersecurity professionals before making security decisions.
Hardware wallet adoption is the single biggest security improvement anyone can make
hardware wallets protect keys but Skuld Stealer targets wallet software credentials on the device. if your seed phrase ever touched a Windows machine youre at risk regardless
hardware wallets help but Skuld Stealer targets wallet software credentials. If your seed phrase touched Windows, you’re at risk
The cost of a security breach always exceeds the cost of prevention
Jennifer Taylor the breach cost here isnt just financial. WSUS controls updates for entire enterprise networks. one compromised server = thousands of endpoints with wallet-stealing malware
Bridge security is still the weakest link in the ecosystem
The amount of DeFi exploits is still way too high
CVSS 9.8 and Microsoft had to issue an out-of-band patch because the initial fix was insufficient. their own deprecated BinaryFormatter came back to bite them
BinaryFormatter was deprecated and removed from .NET 9 but WSUS still used it. this is the exact type of legacy tech debt that creates catastrophic vulnerabilities in enterprise software
BinaryFormatter was deprecated yet WSUS still used it. This is exactly the legacy tech debt that creates catastrophic vulnerabilities
CVSS 9.8 score means this is one of the most dangerous security flaws of 2025. WSUS being compromised affects entire enterprise networks