MICROSOFT disclosed a multi-stage intrusion in which Internet-exposed SolarWinds Web Help Desk instances were exploited to gain initial access and move laterally to high-value assets, potentially across organisations. The activity involved unauthenticated remote code execution and the use of PowerShell after exploitation of the WHD service, with the attackers then downloading Zoho ManageEngine components to enable persistent remote control.
It remains unclear which CVE was used for the initial foothold, as attackers could have leveraged CVE-2025-40551 (score 9.8) or CVE-2025-40536 (score 8.1) or a previously patched CVE, with CVE-2025-26399 (score 9.8) also mentioned; CVE-2025-40551 has been added to the CISA Known Exploited Vulnerabilities catalog, and agencies were ordered to apply the fixes by 6 February 2026. In at least one observed case, a DCSync-like technique was used to request password hashes from an Active Directory database.
Defenders are urged to patch internet-facing WHD instances, remove unauthorized RMM tools, rotate service and admin accounts, and isolate compromised machines to limit the breach, while Microsoft notes the actors relied on living-off-the-land techniques and legitimate tools to maintain persistence.