Security

SolarWinds Web Help Desk Exploitation Warning

3 min read

Summary

Microsoft is warning that internet-exposed SolarWinds Web Help Desk servers are being actively exploited for unauthenticated remote code execution, with attackers chaining built-in tools like PowerShell and BITS, plus legitimate remote management software, to stay stealthy and expand access. The activity matters because a single vulnerable WHD instance can become a low-noise path to credential theft, privilege escalation, and broader domain compromise, underscoring the need to patch known WHD flaws and monitor for unusual admin-tool usage.

Need help with Security?Talk to an Expert

Introduction: why this matters

Internet-exposed line-of-business tools remain a high-value target, and Microsoft has observed real-world attacks where compromising a single SolarWinds Web Help Desk (WHD) instance became a stepping stone to broader domain compromise. The campaign is notable for “living-off-the-land” (LoTL) behavior, use of legitimate admin tooling, and low-noise persistence—tactics that often evade signature-only controls.

What’s new / what Microsoft observed

Microsoft Defender Research identified multi-stage intrusions starting from exposed WHD servers:

  • Initial access via WHD exploitation (RCE): Successful exploitation enabled unauthenticated remote code execution in the WHD application context. Microsoft has not confirmed the specific vulnerability used, but notes affected systems were vulnerable to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399.
  • Payload delivery using built-in tools: After compromise, the WHD service spawned PowerShell and used BITS to download and execute payloads.
  • Legitimate RMM used for control: In several cases, attackers installed components of Zoho ManageEngine (RMM) (e.g., artifacts like ToolsIQ.exe) to gain interactive access.
  • Credential access and privilege escalation:
    • Domain user/group enumeration including Domain Admins.
    • DLL sideloading via wab.exe loading a malicious sspicli.dll, enabling LSASS access and stealthier credential theft.
    • At least one incident progressed to DCSync, indicating high-privilege credential access.
  • Persistence and evasion:
    • Reverse SSH and RDP access.
    • A particularly stealthy technique: a scheduled task launching QEMU under SYSTEM at startup, effectively hiding activity in a VM while forwarding SSH over a host port.

Impact on IT admins and end users

  • Admins: Any publicly reachable WHD instance should be treated as a potential entry point to domain-wide compromise. Because attackers blend into administrative activity (PowerShell/BITS/RDP/SSH), behavior-based monitoring across endpoint, identity, and network is essential.
  • End users: The downstream impact can include account takeover, password theft, service disruption, and broader ransomware or data-theft risk once domain control is achieved.
  1. Patch and reduce exposure immediately
    • Apply updates addressing CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399.
    • Remove public exposure where possible, restrict admin paths, and increase logging (including WHD components such as the Ajax Proxy).
  2. Hunt for post-exploitation indicators
    • Use Microsoft Defender Vulnerability Management (MDVM) to locate vulnerable WHD servers.
    • In Defender XDR Advanced Hunting, look for suspicious process chains originating from WHD (e.g., wrapper.exe spawning PowerShell/BITS), and for ManageEngine/RMM artifacts added after the suspected compromise window.
  3. Evict unauthorized remote tooling
    • Identify and remove unexpected ManageEngine RMM components and investigate how they were deployed.
  4. Contain and recover
    • Isolate suspected hosts and rotate credentials starting with service accounts and admins reachable from WHD.
    • Investigate for identity compromise signals (pass-the-hash/over-pass-the-hash) and DCSync indicators.

Microsoft notes analysis is ongoing; defenders should assume active exploitation continues and prioritize internet-facing application hygiene and layered detection.

Need help with Security?

Our experts can help you implement and optimize your Microsoft solutions.

Talk to an Expert

Stay updated on Microsoft technologies

Read the original article by Microsoft Defender Security Research Team
Microsoft Defender XDRSolarWinds Web Help DeskCVEvulnerability managementincident response

Related Posts

Security

Trivy Supply Chain Compromise: Defender Guidance

Microsoft has published detection, investigation, and mitigation guidance for the March 2026 Trivy supply chain compromise that affected the Trivy binary and related GitHub Actions. The incident matters because it weaponized trusted CI/CD security tooling to steal credentials from build pipelines, cloud environments, and developer systems while appearing to run normally.

Security

AI Agent Governance: Aligning Intent for Security

Microsoft outlines a governance model for AI agents that aligns user, developer, role-based, and organizational intent. The framework helps enterprises keep agents useful, secure, and compliant by defining behavioral boundaries and a clear order of precedence when conflicts arise.

Security

Microsoft Defender Predictive Shielding Stops GPO Ransomware

Microsoft detailed a real-world ransomware case in which Defender’s predictive shielding detected malicious Group Policy Object abuse before encryption began. By hardening GPO propagation and disrupting compromised accounts, Defender blocked about 97% of attempted encryption activity and prevented any devices from being encrypted through the GPO delivery path.

Security

Microsoft Agentic AI Security Tools Unveiled at RSAC

At RSAC 2026, Microsoft introduced a broader security strategy for enterprise AI, led by Agent 365, a new control plane for governing and protecting AI agents that will reach general availability on May 1. The company also announced expanded AI risk visibility and identity protections across Defender, Entra, Purview, Intune, and new shadow AI detection tools, signaling that securing AI usage is becoming a core part of enterprise security operations as adoption accelerates.

Security

Microsoft CTI-REALM Benchmarks AI Detection Engineering

Microsoft has introduced CTI-REALM, an open-source benchmark designed to test whether AI agents can actually perform detection engineering tasks end to end, from interpreting threat intelligence reports to generating and refining KQL and Sigma detection rules. This matters because it gives security teams a more realistic way to evaluate AI for SOC operations, focusing on measurable operational outcomes across real environments instead of simple cybersecurity question answering.

Security

Microsoft Zero Trust for AI: Workshop and Architecture

Microsoft has introduced Zero Trust for AI guidance, adding an AI-focused pillar to its Zero Trust Workshop and expanding its assessment tool with new Data and Network pillars. The update matters because it gives enterprises a structured way to secure AI systems against risks like prompt injection, data poisoning, and excessive access while aligning security, IT, and business teams around nearly 700 controls.