Find notable cyber news and cases, enriched with sources, timelines, and signals.

SolarWinds Web Help Desk (WHD) multi-stage exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 44
2 unique sources, 3 articles

Summary

Hide ▲

SolarWinds Web Help Desk (WHD) exploitation is a multi-stage intrusion wave affecting internet-exposed WHD instances. The foothold remains unconfirmed, but the wave is tied to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399. Microsoft and Huntress reported threat actors using WHD flaws for initial access, and CISA later added CVE-2025-26399 to its KEV catalog after evidence of active exploitation. Post-exploitation activity included PowerShell, BITS, reverse SSH/RDP, LSASS credential theft, and DCSync attempts.

Related Happenings

SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)

Vulnerability
H score46 First: 15.06.2026 23:06 Last: 15.06.2026 23:06 Sources 1

About this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

SolarWinds Serv-U advisory and mitigations for CVE-2026-28318

Advisory/Mitigation
H score52 First: 06.06.2026 11:14 Last: 06.06.2026 11:14 Sources 1

About this happening: **SolarWinds Serv-U** mitigation guidance now covers **CVE-2026-28318**, reducing **unauthenticated DoS** risk from specially crafted POST requests. SolarWinds says the flaw is ad...

CISA KEV order for SolarWinds Serv-U CVE-2026-28318

Public Sector Action
H score50 First: 06.06.2026 11:14 Last: 06.06.2026 11:14 Sources 1

About this happening: **CISA** added **CVE-2026-28318** affecting **SolarWinds Serv-U** to the **KEV catalog** and ordered **FCEB agencies** to remediate it by **June 19, 2026**. The directive expands...

SolarWinds Serv-U denial-of-service flaw actively exploited (CVE-2026-28318)

Vulnerability
H score73 First: 05.06.2026 22:15 Last: 05.06.2026 22:15 Sources 1

About this happening: **CISA** added **CVE-2026-28318** affecting **SolarWinds Serv-U** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**. The **high-se...

Timeline

  1. 10.03.2026 08:17 1 articles · 4mo ago

    CISA adds SolarWinds Web Help Desk CVE-2025-26399 to KEV

    Legal Policy Action Update

    CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.

    Show sources
  2. 09.02.2026 16:42 2 articles · 5mo ago

    Microsoft details SolarWinds WHD multi-stage intrusion

    Technical Analysis Update

    Microsoft says attackers exploited internet-exposed SolarWinds Web Help Desk (WHD) instances to gain unauthenticated remote code execution, then spawned PowerShell to use BITS for payload download and execution, brought in Zoho ManageEngine components for persistence, and used reverse SSH, RDP, DLL side-loading with wab.exe and sspicli.dll, LSASS dumping, and at least one DCSync attack to move toward higher-value assets.

    Show sources