SolarWinds Web Help Desk Exploitation Warning

Introduction: why this matters

Internet-exposed line-of-business tools remain a high-value target, and Microsoft has observed real-world attacks where compromising a single SolarWinds Web Help Desk (WHD) instance became a stepping stone to broader domain compromise. The campaign is notable for “living-off-the-land” (LoTL) behavior, use of legitimate admin tooling, and low-noise persistence—tactics that often evade signature-only controls.

What’s new / what Microsoft observed

Microsoft Defender Research identified multi-stage intrusions starting from exposed WHD servers:

• Initial access via WHD exploitation (RCE): Successful exploitation enabled unauthenticated remote code execution in the WHD application context. Microsoft has not confirmed the specific vulnerability used, but notes affected systems were vulnerable to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399.
• Payload delivery using built-in tools: After compromise, the WHD service spawned PowerShell and used BITS to download and execute payloads.
• Legitimate RMM used for control: In several cases, attackers installed components of Zoho ManageEngine (RMM) (e.g., artifacts like ToolsIQ.exe) to gain interactive access.
• Credential access and privilege escalation:
  • Domain user/group enumeration including Domain Admins.
  • DLL sideloading via wab.exe loading a malicious sspicli.dll, enabling LSASS access and stealthier credential theft.
  • At least one incident progressed to DCSync, indicating high-privilege credential access.
• Persistence and evasion:
  • Reverse SSH and RDP access.
  • A particularly stealthy technique: a scheduled task launching QEMU under SYSTEM at startup, effectively hiding activity in a VM while forwarding SSH over a host port.

Impact on IT admins and end users

• Admins: Any publicly reachable WHD instance should be treated as a potential entry point to domain-wide compromise. Because attackers blend into administrative activity (PowerShell/BITS/RDP/SSH), behavior-based monitoring across endpoint, identity, and network is essential.
• End users: The downstream impact can include account takeover, password theft, service disruption, and broader ransomware or data-theft risk once domain control is achieved.

Recommended actions / next steps

1. Patch and reduce exposure immediately
   • Apply updates addressing CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399.
   • Remove public exposure where possible, restrict admin paths, and increase logging (including WHD components such as the Ajax Proxy).
2. Hunt for post-exploitation indicators
   • Use Microsoft Defender Vulnerability Management (MDVM) to locate vulnerable WHD servers.
   • In Defender XDR Advanced Hunting, look for suspicious process chains originating from WHD (e.g., wrapper.exe spawning PowerShell/BITS), and for ManageEngine/RMM artifacts added after the suspected compromise window.
3. Evict unauthorized remote tooling
   • Identify and remove unexpected ManageEngine RMM components and investigate how they were deployed.
4. Contain and recover
   • Isolate suspected hosts and rotate credentials starting with service accounts and admins reachable from WHD.
   • Investigate for identity compromise signals (pass-the-hash/over-pass-the-hash) and DCSync indicators.

Microsoft notes analysis is ongoing; defenders should assume active exploitation continues and prioritize internet-facing application hygiene and layered detection.