Microsoft has identified a multi-stage cyber intrusion leveraging vulnerabilities in SolarWinds Web Help Desk (WHD) to gain unauthorized access to corporate networks. The attackers used these weaknesses to move laterally and target other critical assets within the affected organizations.
Details of the Exploitation
The Microsoft Defender Security Research Team has not yet confirmed which specific vulnerabilities were used in these attacks. The possibilities include either the recently disclosed vulnerabilities (CVE-2025-40551 and CVE-2025-40536) or a previously patched flaw (CVE-2025-26399). This ambiguity arises because the attacks occurred in December 2025, a time when systems were susceptible to both new and older vulnerabilities.
CVE-2025-40536 is known for enabling attackers to bypass security controls, potentially allowing unauthorized access to restricted features. On the other hand, CVE-2025-40551 and CVE-2025-26399 involve flaws related to untrusted data deserialization, which can result in remote code execution.
Impact and Techniques Used
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has acknowledged the active exploitation of CVE-2025-40551, urging federal agencies to implement necessary patches by February 6, 2026. Microsoft reports that successful exploitation of SolarWinds WHD led to unauthenticated remote code execution, enabling attackers to execute arbitrary commands within the application.
Upon gaining initial access, attackers employed PowerShell via BITS for payload deployment. They utilized legitimate software such as Zoho ManageEngine for persistent control over compromised systems, conducting actions like enumerating sensitive domain groups, establishing persistent access through reverse SSH and RDP, and attempting to schedule tasks to obscure their activities.
Preventive Measures and Recommendations
In some instances, attackers simulated Domain Controllers to extract password hashes and sensitive data from Active Directory. To mitigate these threats, Microsoft advises organizations to keep SolarWinds WHD instances updated, remove unauthorized remote monitoring tools, rotate service accounts, and isolate compromised systems.
This series of attacks highlights a prevalent and high-risk scenario where a single exposed application can lead to a full domain compromise if vulnerabilities are left unpatched. The attackers’ reliance on legitimate administrative tools and low-profile persistence techniques underscores the need for comprehensive security strategies, including timely patching and behavior-based detection across identity, endpoint, and network layers.
Organizations are urged to prioritize defense in-depth measures to protect against similar sophisticated cyber threats in the future.
