SolarWinds Web Help Desk Exploited in Multi-Stage Cyber Attacks on Exposed Servers
In a recent cybersecurity development, threat actors have been observed exploiting vulnerabilities in SolarWinds Web Help Desk (WHD) to gain unauthorized access to organizational networks. These multi-stage intrusions have raised significant concerns about the security of internet-exposed WHD instances.
Initial Access Through WHD Vulnerabilities
Microsoft’s Defender Security Research Team reported that attackers targeted internet-facing WHD instances to establish an initial foothold within organizational networks. The specific vulnerabilities exploited remain uncertain, as the attacks occurred in December 2025, a period when multiple critical flaws were present in WHD systems. Notably, these include:
– CVE-2025-40551: An untrusted data deserialization vulnerability with a CVSS score of 9.8, allowing unauthenticated remote code execution.
– CVE-2025-40536: A security control bypass vulnerability with a CVSS score of 8.1, potentially granting unauthorized access to restricted functionalities.
– CVE-2025-26399: Another untrusted data deserialization flaw with a CVSS score of 9.8, enabling remote code execution.
Given the concurrent presence of these vulnerabilities, pinpointing the exact flaw exploited in each incident has been challenging.
Attackers’ Methodology and Tools
Upon successful exploitation, attackers executed arbitrary commands within the WHD application context. The attack sequence typically involved:
1. Payload Deployment: Utilizing PowerShell to leverage the Background Intelligent Transfer Service (BITS) for downloading and executing malicious payloads.
2. Establishing Persistence: Deploying legitimate remote monitoring and management (RMM) tools, such as Zoho ManageEngine, to maintain remote control over compromised systems.
3. Credential Theft: Employing DLL side-loading techniques to dump the contents of the Local Security Authority Subsystem Service (LSASS) memory, facilitating credential harvesting.
4. Lateral Movement: Conducting domain enumeration to identify sensitive users and groups, including Domain Admins, and attempting to create scheduled tasks to launch virtual machines under the SYSTEM account, thereby obfuscating their activities.
In some instances, attackers executed DCSync attacks, simulating a Domain Controller to request password hashes and other sensitive information from the Active Directory database.
Mitigation Strategies
To defend against such sophisticated attacks, organizations are advised to:
– Update WHD Instances: Ensure all WHD systems are patched to the latest versions to address known vulnerabilities.
– Monitor for Unauthorized Tools: Regularly inspect systems for unauthorized RMM tools and remove them promptly.
– Credential Management: Rotate service and administrative account credentials regularly to limit the impact of potential credential theft.
– Network Segmentation: Isolate compromised machines to prevent lateral movement and further infiltration within the network.
This incident underscores the critical importance of maintaining up-to-date software and implementing robust monitoring practices. A single exposed application can serve as a gateway for attackers to achieve full domain compromise, emphasizing the need for vigilant cybersecurity measures.
