Overview
WSUS (Windows Server Update Services) pushes updates to domain machines. If WSUS uses HTTP (not HTTPS), you can MITM the update process and inject a malicious update that executes as SYSTEM.Check WSUS Configuration
Vulnerable If
WUServeruseshttp://(nothttps://)UseWUServer=1
SharpWSUS
Inject fake update on WSUS server (requires admin on WSUS server or MITM position).Create Malicious Update
Approve Update for Target
Check Status
Cleanup
WSUSpendu (PowerShell)
PyWSUS — MITM Attack
If on same network and WSUS uses HTTP:ARP Spoofing + Inject
WSUXploit
Automated WSUS MITM.Quick Reference
| Scenario | Tool |
|---|---|
| Admin on WSUS server | SharpWSUS |
| MITM position (HTTP WSUS) | PyWSUS / WSUXploit |
| PowerShell-based | WSUSpendu |