News
Microsoft Warns of Active SolarWinds Web Help Desk Exploitation
Microsoft's Defender Security Research Team has observed threat actors actively exploiting internet-exposed SolarWinds Web Help Desk instances in multi-stage intrusions that led to lateral movement toward high-value assets within targeted organizations.
The attacks, which occurred in December 2025, leveraged vulnerabilities in SolarWinds WHD to gain initial access before deploying remote management tools and establishing persistence mechanisms across compromised networks. While Microsoft has not confirmed which specific vulnerabilities were exploited, the company said affected systems were vulnerable to both recently disclosed flaws (CVE-2025-40551, CVE-2025-40536 and a previously known vulnerability, CVE-2025-26399).
"This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," the Microsoft Defender Research Team said in a blog post published Friday.
The intrusions relied heavily on living-off-the-land techniques and legitimate administrative tools, according to Microsoft. After exploiting exposed WHD instances, attackers used PowerShell to download and execute payloads via BITS. On several hosts, the downloaded binaries installed Zoho ManageEngine, a legitimate remote monitoring and management solution, giving attackers interactive control over compromised systems
.
Microsoft said attackers then enumerated sensitive domain users and groups, including Domain Admins, and established reverse SSH and RDP access for persistence. In some environments, Microsoft Defender raised alerts when attackers created a scheduled task to launch a QEMU virtual machine under the SYSTEM account at startup, hiding malicious activity within a virtualized environment while exposing SSH access via port forwarding.
Security researchers at Huntress also observed active exploitation of SolarWinds WHD across multiple customers. In a detailed analysis published over the weekend, Huntress said threat actors deployed Velociraptor, an open-source digital forensics tool, as a command-and-control framework. The activity included reconnaissance, credential theft and the use of Cloudflare tunnels for persistent access.
"The adversary leveraged the file-hosting service Catbox to stage a Zoho ManageEngine RMM agent, a legitimate remote management tool that may be abused by threat actors to maintain persistent, hands-on access to the compromised environment," Huntress researchers said.
Huntress researchers noted that attackers used encoded PowerShell commands to execute a series of post-exploitation activities, including disabling Windows Defender and Windows Firewall, downloading additional tools and implementing a C2 failover mechanism for the Velociraptor agent. The researchers also observed attackers collecting system information and exfiltrating it to an attacker-controlled Elastic Cloud instance.
The earliest known instance of this persistence mechanism was installed on Jan. 16, 2026, at 21:24:40 UTC, according to Huntress, suggesting the attacks may have begun earlier than initially observed.
CVE-2025-40551, a critical untrusted data deserialization vulnerability, and CVE-2025-40536, a security control bypass flaw, were disclosed by SolarWinds on Jan. 28. CVE-2025-26399 was disclosed earlier. The Cybersecurity and Infrastructure Security Agency added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog last week.
All previous versions of SolarWinds Web Help Desk prior to version 2026.1 are vulnerable. Organizations can check their version by reviewing the version.txt file located at C:\Program Files\WebHelpDesk.
Microsoft recommended that organizations update WHD to the latest version, remove public access to admin paths and rotate credentials for service and admin accounts reachable from WHD. The company also urged organizations to evict unauthorized RMM tools and isolate compromised hosts.
Huntress echoed those recommendations, adding that WHD administrative interfaces should not be publicly accessible and should be placed behind a VPN or firewall. The firm also recommended reviewing WHD hosts for unauthorized remote access tools, unexpected services and encoded PowerShell execution spawned by the WHD service process.
Microsoft Defender provides pre-breach and post-breach coverage for this campaign, the company said. Customers can use Microsoft Defender Vulnerability Management to identify vulnerable but unpatched WHD instances and review alerts that provide coverage of attacks across devices and identity.