VULNERABLE SolarWinds Web Help Desk (WHD) instances were exploited in December 2025 for initial access, with Microsoft noting that attackers compromised the WHD deployments to spawn PowerShell and download and execute additional payloads.
According to Microsoft, the compromised product was vulnerable to CVE-2025-40551 and CVE-2025-40536, both patched in January 2026, and also to CVE-2025-26399, fixed in September 2025; CVE-2025-26399 was described as an unauthenticated AjaxProxy deserialization remote code execution bug and was disclosed as a bypass for CVE-2024-28988.
The company observed attackers obtaining persistent access by deploying the ManageEngine remote monitoring and management tool and establishing reverse SSH and RDP access, and they used a scheduled task to launch a QEMU virtual machine at startup with System privileges. They also used DLL sideloading to access LSASS memory and steal credentials, and performed a DCSync attack to request password data from a domain controller. Organisations should patch WHD, remove unauthorized RMM applications, rotate credentials, and isolate compromised hosts.