Security

SolarWinds Web Help Desk Exploitation Warning

3 min read

Summary

Microsoft is warning that internet-exposed SolarWinds Web Help Desk servers are being actively exploited for unauthenticated remote code execution, with attackers chaining built-in tools like PowerShell and BITS, plus legitimate remote management software, to stay stealthy and expand access. The activity matters because a single vulnerable WHD instance can become a low-noise path to credential theft, privilege escalation, and broader domain compromise, underscoring the need to patch known WHD flaws and monitor for unusual admin-tool usage.

Need help with Security?Talk to an Expert

Introduction: why this matters

Internet-exposed line-of-business tools remain a high-value target, and Microsoft has observed real-world attacks where compromising a single SolarWinds Web Help Desk (WHD) instance became a stepping stone to broader domain compromise. The campaign is notable for “living-off-the-land” (LoTL) behavior, use of legitimate admin tooling, and low-noise persistence—tactics that often evade signature-only controls.

What’s new / what Microsoft observed

Microsoft Defender Research identified multi-stage intrusions starting from exposed WHD servers:

  • Initial access via WHD exploitation (RCE): Successful exploitation enabled unauthenticated remote code execution in the WHD application context. Microsoft has not confirmed the specific vulnerability used, but notes affected systems were vulnerable to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399.
  • Payload delivery using built-in tools: After compromise, the WHD service spawned PowerShell and used BITS to download and execute payloads.
  • Legitimate RMM used for control: In several cases, attackers installed components of Zoho ManageEngine (RMM) (e.g., artifacts like ToolsIQ.exe) to gain interactive access.
  • Credential access and privilege escalation:
    • Domain user/group enumeration including Domain Admins.
    • DLL sideloading via wab.exe loading a malicious sspicli.dll, enabling LSASS access and stealthier credential theft.
    • At least one incident progressed to DCSync, indicating high-privilege credential access.
  • Persistence and evasion:
    • Reverse SSH and RDP access.
    • A particularly stealthy technique: a scheduled task launching QEMU under SYSTEM at startup, effectively hiding activity in a VM while forwarding SSH over a host port.

Impact on IT admins and end users

  • Admins: Any publicly reachable WHD instance should be treated as a potential entry point to domain-wide compromise. Because attackers blend into administrative activity (PowerShell/BITS/RDP/SSH), behavior-based monitoring across endpoint, identity, and network is essential.
  • End users: The downstream impact can include account takeover, password theft, service disruption, and broader ransomware or data-theft risk once domain control is achieved.
  1. Patch and reduce exposure immediately
    • Apply updates addressing CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399.
    • Remove public exposure where possible, restrict admin paths, and increase logging (including WHD components such as the Ajax Proxy).
  2. Hunt for post-exploitation indicators
    • Use Microsoft Defender Vulnerability Management (MDVM) to locate vulnerable WHD servers.
    • In Defender XDR Advanced Hunting, look for suspicious process chains originating from WHD (e.g., wrapper.exe spawning PowerShell/BITS), and for ManageEngine/RMM artifacts added after the suspected compromise window.
  3. Evict unauthorized remote tooling
    • Identify and remove unexpected ManageEngine RMM components and investigate how they were deployed.
  4. Contain and recover
    • Isolate suspected hosts and rotate credentials starting with service accounts and admins reachable from WHD.
    • Investigate for identity compromise signals (pass-the-hash/over-pass-the-hash) and DCSync indicators.

Microsoft notes analysis is ongoing; defenders should assume active exploitation continues and prioritize internet-facing application hygiene and layered detection.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Microsoft Defender Security Research Team
Microsoft Defender XDRSolarWinds Web Help DeskCVEvulnerability managementincident response

Related Posts

Security

AI Memory Security in Microsoft 365 Explained

Microsoft has outlined how it secures AI memory in Microsoft 365, addressing emerging risks such as memory poisoning and delayed tool execution. The update matters because persistent AI memory can improve personalization and agent performance, but it also creates new security, compliance, and audit requirements for IT and security teams.

Security

Parallel Threat Activity: Microsoft DART Findings

Microsoft Incident Response detailed a complex intrusion in which two unrelated threat actors operated simultaneously in the same environment, complicating attribution and detection. The case highlights how ransomware activity, SharePoint exploitation, trusted tool abuse, and identity compromise can overlap across hybrid estates, reinforcing the need for strong telemetry, patching, and coordinated response.

Security

AutoJack RCE in AutoGen Studio: Security Lessons

Microsoft security researchers detailed AutoJack, an exploit chain in AutoGen Studio that could let untrusted web content rendered by an AI browsing agent trigger remote code execution on the host. Although the vulnerable MCP WebSocket surface was never shipped in a PyPI release and the issue was hardened upstream during development, the findings highlight important security risks for agent frameworks that combine web browsing with privileged local services.

Security

Microsoft Security Forrester Study Reports 124% ROI

A new Forrester Total Economic Impact study found that organizations consolidating on Microsoft Security could see a projected 124% ROI over three years. The report highlights lower breach risk, reduced remediation costs, lower technology spend, and productivity gains as key reasons unified security platforms matter in the AI era.

Security

Mastra npm Supply Chain Attack: What IT Teams Need to Know

Microsoft has detailed a large-scale npm supply chain compromise affecting more than 140 Mastra packages after an attacker took over a maintainer account and injected a malicious dependency. The attack is significant because the payload executed during npm install, putting developer workstations and CI/CD pipelines at risk even if the package was never directly used in code.

Security

Crypto Clipper Malware Uses Tor and USB Worm Spread

Microsoft has detailed a Windows-based crypto clipper campaign that uses malicious shortcut files, a bundled Tor client, and worm-like USB propagation to steal wallet data and maintain persistence. The threat matters because it combines clipboard theft, screenshot exfiltration, and remote code execution with stealthy Tor-based command and control, making behavioral detection critical for defenders.