Ethical Hacking News
A recent attack on SolarWinds Web Help Desk has left many questions unanswered. The attackers exploited a vulnerability in the popular help-desk ticketing app to break into victims' IT environments, move laterally, and steal high-privilege credentials. But which bug was used in these attacks? To understand the complexity of this incident, it is essential to delve into the details of the vulnerabilities affected by SolarWinds. The company recently disclosed a critical untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. This vulnerability earned a 9.8 CVSS rating and was added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog just three days after the vendor issued a security advisory urging customers to patch the vulnerability.
The SolarWinds Web Help Desk attack exploited vulnerabilities in the popular help-desk ticketing app to break into victims' IT environments. A critical untrusted deserialization flaw (CVE-2025-40551) with a CVSS rating of 9.8 was used, allowing remote code execution. Two other high-severity vulnerabilities (CVE-2025-40536 and CVE-2025-26399) were also exploited, with one not yet appearing on CISA's exploited bugs catalog. The attackers took advantage of these vulnerabilities to gain access to compromised devices and execute malware using legitimate Windows features like BITS. They used various techniques, including DLL sideloading and stolen credentials, to maintain access and escalate privileges. Security teams are advised to apply patches now, remove public access to admin paths, scan for unauthorized RMM tools, rotate credentials, and isolate compromised hosts.
The recent attack on SolarWinds Web Help Desk (WHD) has sent shockwaves through the cybersecurity community, leaving many questions unanswered. The Register reported that attackers exploited a vulnerability in the popular help-desk ticketing app to break into victims' IT environments, move laterally, and steal high-privilege credentials. However, the question remains: which bug was used in these attacks?
To understand the complexity of this incident, it is essential to delve into the details of the vulnerabilities affected by SolarWinds. The company recently disclosed a critical untrusted deserialization flaw (CVE-2025-40551) that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. This vulnerability earned a 9.8 CVSS rating and was added to the US Cybersecurity and Infrastructure Security Agency's Known Exploited Vulnerabilities catalog just three days after the vendor issued a security advisory urging customers to patch the vulnerability.
Another high-severity (8.1 CVSS) security control bypass vulnerability (CVE-2025-40536) also affected SolarWinds, allowing an unauthenticated attacker to gain access to certain restricted functionality. This one hasn't yet appeared on CISA's exploited bugs catalog. A third critical, 9.8-severity flaw (CVE-2025-26399) that allows remote, unauthenticated attackers to run commands on a host machine was also exploited. SolarWinds attempted to patch this one three times before the fix finally worked.
The attackers took advantage of these vulnerabilities to gain access to compromised devices, which then spawned PowerShell to abuse the Background Intelligent Transfer Service (BITS) for payload download and execution. BITS is a built-in Windows operating system feature used to manage file transfers between machines. The attackers used legitimate Microsoft features like BITS to download and execute malware, demonstrating a technique known as "living off the land."
In some environments, the attackers also downloaded and installed Zoho ManageEngine, a legitimate remote monitoring and management (RMM) product, to provide long-term, remote control of the compromised system. They enumerated sensitive domain users and groups, including Domain Admins, and established reverse SSH and RDP access for persistence.
The attackers used various techniques, including DLL sideloading to access Windows Local Security Authority Subsystem Service (LSASS) memory and steal credentials. In at least one case, activity escalated to DCSync from the original access host, indicating use of high-privilege credentials to request password data from a domain controller.
In light of this incident, it is essential for security teams to take immediate action. They should apply the WHD patches now, and remove public access to admin paths. It is also recommended to scan for and evict unauthorized RMM tools, specifically ManageEngine RMM artifacts such as ToolsIQ.exe. Rotating credentials, especially those reachable from WHD, and isolating any known compromised hosts are also crucial steps in mitigating the damage.
In conclusion, the SolarWinds Web Help Desk vulnerability is a complex web of intrusions and exploits that highlights the importance of timely patching and vigilance in the cybersecurity realm.
Related Information:
https://www.ethicalhackingnews.com/articles/The-SolarWinds-Web-Help-Desk-Vulnerability-A-Complex-Web-of-Intrusions-and-Exploits-ehn.shtml
https://go.theregister.com/feed/www.theregister.com/2026/02/09/solarwinds_mystery_whd_attack/
https://nvd.nist.gov/vuln/detail/CVE-2025-26399
https://www.cvedetails.com/cve/CVE-2025-26399/
https://nvd.nist.gov/vuln/detail/CVE-2025-40536
https://www.cvedetails.com/cve/CVE-2025-40536/
https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://www.cvedetails.com/cve/CVE-2025-40551/
Published: Mon Feb 9 16:30:00 2026 by llama3.2 3B Q4_K_M
