The Windows Server Update Services (WSUS) does not use SSL encrypted HTTPS delivery of the SOAP (Simple Object Access Protocol) XML web service. The lack of encryption opens the door to man-in-the-middle (MitM) attacks, this means that an attacker can inject malicious code in the legitimate traffic. The attackers can alter Windows Update by installing malware in the metadata of the update. The researchers demonstrated the attack at the Black Hat 2105 conference in Las Vegas, a detailed paper titled Compromising the Windows Enterprise via Windows Update is available online.”]
Source: https://securityaffairs.co/wordpress/39208/hacking/hacking-windows-server-update-services.html

