Google Threat Intelligence Group is investigating a series of attacks linked to a hacker targeting a critical vulnerability in Windows Server Update Service, Cybersecurity Dive has learned.
Threat activity has ramped up since last week after a proof of concept for the untrusted data vulnerability in WSUS, the service widely used to manage the deployment of Microsoft product updates.
“We are actively investigating the exploitation of CVE-2025-59287 by a newly identified threat actor we are tracking as UNC6512 across multiple victim organizations,” GTIG researchers told Cybersecurity Dive.
After gaining initial access into targeted systems, the hacker has done reconnaissance on the compromised host and related environments, according to researchers. The hacker has also exfiltrated data from impacted hosts, according to GTIG.
The threat activity confirms prior observations from security firms, including Huntress Labs, which reported exploitation activity across at least four customer environments late last week.
Microsoft issued a patch to address the vulnerability earlier in the month, but the software update was ineffective. Researchers at HawkTrace released a proof-of-concept related to the vulnerability.
Researchers at Eye Security last week were alerted by suspicious activity picked up by endpoint detection and response telemetry and realized there was an active threat. They were able to replicate the proof of concept and warned various security partners and government agencies about the risk of exposing WSUS to the internet.
Source: Cybersecurity Dive