Home Intel Hub T01 - SANS Internet Storm Center, InfoCON: green Scans for Port 8530/8531 (TCP). Likely related to WSUS Vulnerability CVE-2025-59287, (Sun, Nov 2nd)

Scans for Port 8530/8531 (TCP). Likely related to WSUS Vulnerability CVE-2025-59287, (Sun, Nov 2nd)

SANS Internet Storm Center, InfoCON: green 2025-11-02

Sensors reporting firewall logs detected a significant increase in scans for port 8530/TCP and 8531/TCP over the course of last week. Some of these reports originate from Shadowserver, and likely other researchers, but there are also some that do not correspond to known research-related IP addresses.

graph showing an increase in scans for port 8531 over the last few days.

CVE-2025-59287 is exploited by connecting to affected WSUS servers on port 8530/TCP (non-TLS) or 8531/TCP (TLS). Once connected, an attacker could exploit the vulnerability to execute scripts on a vulnerable server. Typically, an attacker begins by conducting reconnaissance and subsequently follows up with a network compromise.

Sufficient details have been made public about the attack to suggest that any exposed vulnerable servers should be considered compromised at this point.

 

-- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter|

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.