Recent cyberattacks have targeted internet-accessible SolarWinds Web Help Desk (WHD) systems, exploiting newly patched vulnerabilities, according to insights from Microsoft. These attacks, which took place in December 2025, demonstrated a multi-stage intrusion strategy, with hackers leveraging these vulnerabilities to execute PowerShell and deploy additional payloads.
Vulnerability Exploitation Details
Microsoft has indicated that the compromised WHD systems were susceptible to several vulnerabilities, particularly CVE-2025-40551 and CVE-2025-40536, which were patched in January 2026. Additionally, these systems were also vulnerable to CVE-2025-26399, a flaw addressed in September 2025. However, the specific vulnerability utilized by the attackers remains unconfirmed.
CVE-2025-26399 is identified as a remote code execution bug stemming from unauthenticated AjaxProxy deserialization. This issue was revealed as a bypass for a previous vulnerability, CVE-2024-28988. Notably, the AjaxProxy flaw is also central to CVE-2025-40551, which involves deserialization of untrusted data, leading to unauthorized remote code execution.
Attackers’ Techniques and Persistence
The attackers demonstrated sophisticated techniques to maintain persistent access. They deployed the legitimate remote monitoring tool ManageEngine, establishing reverse SSH and RDP connections. Additionally, they utilized a scheduled task to initiate a QEMU virtual machine with system privileges at startup, aiding in evasion and SSH access through port forwarding.
Further tactics included DLL sideloading to access LSASS memory for credential theft and executing DCSync attacks to request password data from domain controllers. These methods highlight the attackers’ reliance on legitimate administrative tools and low-profile persistence mechanisms.
Security Recommendations and Outlook
Microsoft advises organizations to promptly patch their WHD systems against these vulnerabilities, eliminate unauthorized remote monitoring applications, update credentials, and isolate compromised hosts. The pattern of exploiting exposed applications underscores the critical need for robust patch management and monitoring practices.
This incident illustrates a common yet impactful threat pattern, where a single exposed application can lead to full domain compromise if vulnerabilities are left unaddressed. Organizations are urged to be vigilant and proactive in their cybersecurity measures to mitigate such risks in the future.
