Microsoft researchers have uncovered a series of attacks against SolarWinds Web Help Desk (WHD) instances from December 2025, where attackers exploited unknown vulnerabilities to steal high-privilege credentials. The mystery remains whether the attackers used recently disclosed CVEs or older vulnerabilities, as victims were vulnerable to multiple flaws simultaneously.
In a concerning development for enterprise IT security, Microsoft researchers have revealed that digital intruders exploited vulnerabilities in SolarWinds Web Help Desk (WHD) instances during December 2025 to infiltrate victims' IT environments and steal high-privilege credentials. The attacks demonstrate sophisticated techniques and raise serious questions about which specific vulnerability was used as the initial attack vector.
The Mystery of the Unknown Exploit
The most puzzling aspect of these attacks is that security researchers have not yet determined which specific vulnerability the attackers exploited. SolarWinds WHD has been plagued by multiple critical vulnerabilities in recent months, creating a complex landscape for defenders.
Microsoft's threat hunters noted in their analysis: "We have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399."
This uncertainty stems from the fact that the attacks occurred in December 2025, and the compromised machines were vulnerable to both older and newer sets of CVEs simultaneously. The overlapping vulnerability windows make it difficult to pinpoint the exact entry point used by the attackers.
The Vulnerability Landscape
Several critical vulnerabilities have affected SolarWinds WHD in recent months:
CVE-2025-40551 - This critical vulnerability carries a CVSS score of 9.8 and represents an untrusted deserialization flaw that can lead to remote code execution. A remote, unauthenticated attacker could execute operating system commands on the affected system. The severity prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add this bug to its Known Exploited Vulnerabilities catalog, giving federal agencies only three days to patch the security hole.
CVE-2025-40536 - This high-severity vulnerability (CVSS 8.1) is a security control bypass that allows unauthenticated attackers to gain access to certain restricted functionality. While serious, this vulnerability has not yet appeared on CISA's exploited bugs catalog.
CVE-2025-26399 - Another critical 9.8-severity flaw that allows remote, unauthenticated attackers to run commands on a host machine. Notably, SolarWinds had to attempt patching this vulnerability three times before the fix finally worked. The company noted that "This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986."
Attack Methodology
Once the attackers gained initial access through one of these vulnerabilities, they employed sophisticated techniques to maintain persistence and escalate privileges:
Living Off the Land
The compromised devices spawned PowerShell to abuse the Background Intelligent Transfer Service (BITS) for payload download and execution. BITS is a legitimate Windows operating system feature designed to manage file transfers between machines. Attackers have increasingly adopted this "living off the land" technique, which involves using legitimate administrative tools already installed on victims' machines for malicious purposes rather than custom malware that antivirus software is more likely to detect.
Installing Remote Management Tools
In several instances, the attackers downloaded and installed Zoho ManageEngine, a legitimate remote monitoring and management (RMM) product. This provided long-term, remote control of the compromised system. Using legitimate RMM tools for malicious purposes is becoming increasingly common among sophisticated threat actors.
Credential Theft and Domain Escalation
With the remote management tool in place, the intruders enumerated sensitive domain users and groups, including Domain Admins. They established reverse SSH and RDP access for persistence. Microsoft Defender observed attacker behavior creating scheduled tasks to launch QEMU virtual machines under the SYSTEM account at startup, effectively hiding malicious activity within a virtualized environment while exposing SSH access via port forwarding.
In some cases, the attackers used DLL sideloading to access Windows Local Security Authority Subsystem Service (LSASS) memory and steal credentials. In at least one case, the activity escalated to DCSync from the original access host, indicating use of high-privilege credentials to request password data from a domain controller.
Defense Recommendations
Microsoft has provided several critical recommendations for organizations using SolarWinds WHD:
Apply WHD patches immediately - Organizations should ensure they have applied all relevant security patches for their WHD installations.
Remove public access to admin paths - Limiting public exposure of administrative interfaces can reduce the attack surface.
Scan for unauthorized RMM tools - Security teams should specifically look for ManageEngine RMM artifacts such as ToolsIQ.exe.
Rotate credentials - Redmond recommends starting with service and admin accounts reachable from WHD.
Isolate compromised hosts - Any known compromised hosts should be isolated from the network to prevent further damage.
Broader Implications
These attacks highlight several concerning trends in the cybersecurity landscape. First, they demonstrate how organizations can be vulnerable to multiple critical vulnerabilities simultaneously, making it difficult to determine which specific flaw was exploited. Second, they show how attackers are increasingly using legitimate tools and features for malicious purposes, complicating detection efforts.
The SolarWinds WHD attacks also underscore the importance of comprehensive vulnerability management and rapid patching. With critical vulnerabilities being actively exploited in the wild, organizations cannot afford delays in applying security updates.
As Microsoft continues to investigate these intrusions, the cybersecurity community will be watching closely to see whether the mystery of the initial exploit vector is eventually solved. In the meantime, organizations using SolarWinds WHD should take immediate action to secure their installations and monitor for signs of compromise.
The attacks serve as a stark reminder that even well-established IT management tools can become attack vectors when vulnerabilities are discovered and exploited. Organizations must maintain vigilance, implement defense-in-depth strategies, and respond quickly to security advisories to protect their critical infrastructure from increasingly sophisticated threat actors.
Comments
Please log in or register to join the discussion