"Attacks targeting internet-accessible SolarWinds Web Help Desk (WHD) instances for initial access may have exploited recently patched vulnerabilities as zero-days, Microsoft says. As part of a multi‑stage intrusion in December 2025, hackers compromised the vulnerable WHD deployments to spawn PowerShell and download and execute additional payloads. However, Microsoft says it could not confirm whether the hackers exploited new or older SolarWinds vulnerabilities known to be exploited in the wild."
"CVE-2025-26399, described as an unauthenticated AjaxProxy deserialization remote code execution (RCE) bug, was disclosed as a bypass for CVE-2024-28988, which was a patch bypass for CVE-2024-28986. The flawed AjaxProxy functionality is also the root cause of CVE-2025-40551. It is described as an untrusted data deserialization issue leading to unauthenticated RCE and was added to CISA's KEV list last week."
"The company observed the attackers obtaining persistent access by deploying the legitimate remote monitoring and management (RMM) tool ManageEngine and establishing reverse SSH and RDP access. They were also seen setting up a scheduled task to launch a QEMU virtual machine at startup with System privileges, and using the virtualized environment for evasion and SSH access via port forwarding. In some instances, they used DLL sideloading to access LSASS memory and steal c"
Internet-accessible SolarWinds Web Help Desk (WHD) instances were targeted in December 2025, with attackers compromising WHD to run PowerShell and deploy additional payloads. The product was vulnerable to CVE-2025-40551 and CVE-2025-40536 (patched January 2026) and to CVE-2025-26399 (fixed September 2025). CVE-2025-26399 is an unauthenticated AjaxProxy deserialization RCE disclosed as a bypass for CVE-2024-28988, which bypassed CVE-2024-28986. The flawed AjaxProxy deserialization underlies CVE-2025-40551, which was added to CISA's KEV list. CVE-2025-40536 can create valid AjaxProxy instances enabling exploitation of CVE-2025-40551. Multiple coexisting vulnerable CVEs prevented reliable confirmation of the exact initial exploit. Attackers established persistence using ManageEngine RMM, reverse SSH and RDP, scheduled QEMU VMs with System privileges, virtualization for evasion and SSH port forwarding, and DLL sideloading to access LSASS memory.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]