In a startling revelation, Microsoft has uncovered a sophisticated multi-stage attack exploiting vulnerable SolarWinds Web Help Desk (WHD) instances that are accessible via the internet. These intrusions have allowed threat actors to gain initial access to organizations' networks and navigate laterally to other critical assets. But here's where it gets controversial: the exact vulnerabilities exploited remain unclear.
According to the Microsoft Defender Security Research Team, it's uncertain whether the attackers took advantage of recently reported vulnerabilities—specifically CVE-2025-40551, which has a CVSS score of 9.8, and CVE-2025-40536, rated at 8.1—or if they used an earlier patched flaw, CVE-2025-26399, also scoring 9.8. "Given that these attacks were detected in December 2025 on systems vulnerable to both sets of CVEs simultaneously, we cannot definitively identify which specific CVE was exploited to gain initial access," the team noted in their latest report.
To clarify, CVE-2025-40536 pertains to a security control bypass vulnerability, enabling unauthorized users to unlock certain restricted functionalities. In contrast, both CVE-2025-40551 and CVE-2025-26399 involve untrusted data deserialization issues that could facilitate remote code execution.
Just last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, indicating that there is active exploitation occurring in real-world scenarios. This prompted federal agencies within the Civilian Executive Branch (FCEB) to implement necessary fixes by February 6, 2026.
During the attacks identified by Microsoft, successful exploitation of the SolarWinds WHD instances permitted the attackers to execute remote commands without authentication, operating within the application's context. Researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini elaborated, "Once successfully compromised, the WHD service utilized PowerShell to employ BITS (Background Intelligent Transfer Service) for the download and execution of malicious payloads."
As the attack progressed, the threat actors proceeded to download legitimate components from Zoho ManageEngine, a recognized remote monitoring and management (RMM) tool, which enabled them to maintain remote control over the infected systems. Their actions included:
- Enumerating sensitive domain users and groups, including those with Domain Admin privileges.
- Establishing persistence by creating reverse SSH and RDP access, and attempting to set up a scheduled task to launch a QEMU virtual machine under the SYSTEM account at startup, effectively masking their tracks in a virtualized environment while allowing SSH access through port forwarding.
- Utilizing DLL side-loading on some systems by employing "wab.exe," a legitimate executable associated with the Windows Address Book, to trigger a malicious DLL named "sspicli.dll" for extracting credentials from LSASS memory.
In at least one documented incident, Microsoft disclosed that the attackers executed a DCSync attack, where a simulated Domain Controller requests password hashes and other sensitive information from an Active Directory database.
To mitigate such threats, users are strongly encouraged to keep their WHD instances updated, eliminate any unauthorized RMM tools, rotate service and admin accounts, and isolate any compromised machines to curb potential breaches.
This situation underscores a critical yet frequently overlooked pattern: a single unprotected application can pave the way for complete domain compromise when vulnerabilities are either unpatched or inadequately monitored. The Windows maker emphasized that in this intrusion, the attackers heavily relied on living-off-the-land techniques, utilizing legitimate administrative tools alongside low-noise persistence strategies. Such tactics highlight the pressing need for layered defense mechanisms, timely updates for internet-facing services, and behavior-based detection across identity, endpoint, and network frameworks.
What are your thoughts on this evolving situation? Do you believe organizations are doing enough to protect themselves from such vulnerabilities, or is there more that should be done? Share your insights in the comments!
