Security monitoring sensors have detected an alarming rise in scans targeting TCP ports 8530 and 8531, both linked to Windows Server Update Services (WSUS).
The observed activity appears tied to exploitation attempts of the recently disclosed vulnerability CVE-2025-59287, which affects WSUS servers configured to listen on these ports.
Initial reports surfaced through data from Shadowserver and other network intelligence sources.
However, several scan patterns are now originating from unidentified IP addresses, indicating that not all activity stems from legitimate research or security testing.
A graph illustrating scanning activity shows a steep upward trend, particularly for port 8531/TCP traffic, underscoring a growing interest among threat actors.
CVE-2025-59287 allows remote attackers to execute arbitrary scripts by establishing a connection to a vulnerable WSUS instance via port 8530 (non-TLS) or port 8531 (TLS).
Once an attacker connects, they may leverage this vulnerability to gain unauthorized access and escalate privileges within the network environment.
Typical attack sequences begin with reconnaissance scans to identify exposed servers, followed by targeted exploitation efforts aimed at deploying malicious payloads or manipulating system update logic.
Security experts caution that enough technical detail about CVE-2025-59287 has already been published to enable active attacks in the wild.
Consequently, any publicly accessible WSUS endpoints should be presumed at risk or potentially compromised until proven otherwise.
Administrators are strongly urged to review firewall configurations, restrict external WSUS access, and apply available security updates or mitigation guidance from Microsoft.
The ongoing surge in scanning activity demonstrates how quickly attackers pivot to exploit newly revealed vulnerabilities.
Organizations using WSUS should treat this incident with high urgency to reduce exposure and strengthen defensive postures before attackers can take advantage of unpatched systems.
