Sign up to save your podcasts
Or
Share WSUS RCE: Update Weaponized
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
WSUS RCE: Update Weaponized
Attackers are abusing a WSUS flaw - Microsoft’s Windows Server Update Services - to detonate PowerCat, spawn reverse shells, and plant ShadowPad. All from the update server your entire Windows estate trusts by default.
One weak crypto key and a broken deserialization function let attackers hit your WSUS server with unauthenticated SYSTEM-level code execution. Chinese APT groups are already exploiting it to drop malware in memory, blend into legitimate WSUS traffic, and pivot deeper into the network.
Yes WSUS patch exists, but even if you patch it today, the real problem remains:
Your WSUS server is a high-value target with high-trust pathways - and most environments expose it far more than they think.
Watch host Lieuwe Jan Koning - with Blue Team expert Rob Maas and Red Team lead Luca Cipriano - break down how the exploit works, how attackers chain it into real-world intrusions, and the Zero Trust fixes that actually matter.
- (00:00) - Intro
Key Topics Covered
• How one WSUS flaw enables unauthenticated RCE as SYSTEM
• The attack chain: crafted payload → deserialization → PowerCat → ShadowPad
• Why update servers are high-value pivot points for APT groups
• How Chinese APTs weaponized this vulnerability in real-world intrusions
• Zero Trust protections: segmentation, egress control, EDR/XDR detection
• How to secure Microsoft Windows Server Update Services (WSUS patching best practices)
Episodes Mentioned
• China Nexus Barracuda Hack: https://www.youtube.com/watch?v=4X9AmBhOmSA
• APT Sand Eagle: https://youtu.be/U5qdERmvEwg?si=kdsCJDNkGjs6Lklz
• APT 44 / Seashell Blizzard: https://youtu.be/JqA0Irspxrc?si=nnJpz7VnLtz38LN4
• APT Handala: https://youtu.be/XYf-SMhQdDc?si=WpIE0h9Q-pokz0MD
Guest & Host Links
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/
Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
Subscribe to Threat Talks and turn on notifications for deep dives into the world’s most active cyber threats and hands-on exploitation techniques.
Click here to view the episode transcript.
🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520
👕 Receive your Threat Talks T-shirt
https://threat-talks.com/
🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com
🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX
View all episodes
By Threat TalksAttackers are abusing a WSUS flaw - Microsoft’s Windows Server Update Services - to detonate PowerCat, spawn reverse shells, and plant ShadowPad. All from the update server your entire Windows estate trusts by default.
One weak crypto key and a broken deserialization function let attackers hit your WSUS server with unauthenticated SYSTEM-level code execution. Chinese APT groups are already exploiting it to drop malware in memory, blend into legitimate WSUS traffic, and pivot deeper into the network.
Yes WSUS patch exists, but even if you patch it today, the real problem remains:
Your WSUS server is a high-value target with high-trust pathways - and most environments expose it far more than they think.
Watch host Lieuwe Jan Koning - with Blue Team expert Rob Maas and Red Team lead Luca Cipriano - break down how the exploit works, how attackers chain it into real-world intrusions, and the Zero Trust fixes that actually matter.
- (00:00) - Intro
Key Topics Covered
• How one WSUS flaw enables unauthenticated RCE as SYSTEM
• The attack chain: crafted payload → deserialization → PowerCat → ShadowPad
• Why update servers are high-value pivot points for APT groups
• How Chinese APTs weaponized this vulnerability in real-world intrusions
• Zero Trust protections: segmentation, egress control, EDR/XDR detection
• How to secure Microsoft Windows Server Update Services (WSUS patching best practices)
Episodes Mentioned
• China Nexus Barracuda Hack: https://www.youtube.com/watch?v=4X9AmBhOmSA
• APT Sand Eagle: https://youtu.be/U5qdERmvEwg?si=kdsCJDNkGjs6Lklz
• APT 44 / Seashell Blizzard: https://youtu.be/JqA0Irspxrc?si=nnJpz7VnLtz38LN4
• APT Handala: https://youtu.be/XYf-SMhQdDc?si=WpIE0h9Q-pokz0MD
Guest & Host Links
Rob Maas (Field CTO, ON2IT): https://threat-talks.com/the-hosts/
Luca Cipriano (CTI & Red Team Lead, ON2IT): https://threat-talks.com/the-hosts/
Additional Resources
Threat Talks: https://threat-talks.com/
ON2IT (Zero Trust as a Service): https://on2it.net/
AMS-IX: https://www.ams-ix.net/ams
Subscribe to Threat Talks and turn on notifications for deep dives into the world’s most active cyber threats and hands-on exploitation techniques.
Click here to view the episode transcript.
🔔 Follow and Support our channel! 🔔
===
► YOUTUBE: https://youtube.com/@ThreatTalks
► SPOTIFY: https://open.spotify.com/show/1SXUyUEndOeKYREvlAeD7E
► APPLE: https://podcasts.apple.com/us/podcast/threat-talks-your-gateway-to-cybersecurity-insights/id1725776520
👕 Receive your Threat Talks T-shirt
https://threat-talks.com/
🗺️ Explore the Hack's Route in Detail 🗺️
https://threat-talks.com
🕵️ Threat Talks is a collaboration between @ON2IT and @AMS-IX