SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
Summary
Hide ▲
Show ▼
SolarWinds Web Help Desk (WHD) exploitation is a multi-stage intrusion wave affecting internet-exposed WHD instances. The foothold remains unconfirmed, but the wave is tied to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399. Microsoft and Huntress reported threat actors using WHD flaws for initial access, and CISA later added CVE-2025-26399 to its KEV catalog after evidence of active exploitation. Post-exploitation activity included PowerShell, BITS, reverse SSH/RDP, LSASS credential theft, and DCSync attempts.
Related Happenings
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
Vulnerability
H score46
First: 15.06.2026 23:06
Last: 15.06.2026 23:06
Sources 1
About this happening:
**CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
SimpleHelp remote management software privileged technician account creation security flaw (CVE-2026-48558)
VulnerabilityAbout this happening: **CVE-2026-48558** is a **critical authentication bypass** in **SimpleHelp RMM** that affects **OIDC authentication** and can let an unauthenticated attacker forge a token and obt...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
Vulnerability
H score34
First: 15.06.2026 16:00
Last: 15.06.2026 16:00
Sources 1
About this happening:
**Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
VulnerabilityAbout this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
SolarWinds Serv-U advisory and mitigations for CVE-2026-28318
Advisory/Mitigation
H score52
First: 06.06.2026 11:14
Last: 06.06.2026 11:14
Sources 1
About this happening:
**SolarWinds Serv-U** mitigation guidance now covers **CVE-2026-28318**, reducing **unauthenticated DoS** risk from specially crafted POST requests. SolarWinds says the flaw is ad...
SolarWinds Serv-U advisory and mitigations for CVE-2026-28318
Advisory/MitigationAbout this happening: **SolarWinds Serv-U** mitigation guidance now covers **CVE-2026-28318**, reducing **unauthenticated DoS** risk from specially crafted POST requests. SolarWinds says the flaw is ad...
CISA KEV order for SolarWinds Serv-U CVE-2026-28318
Public Sector Action
H score50
First: 06.06.2026 11:14
Last: 06.06.2026 11:14
Sources 1
About this happening:
**CISA** added **CVE-2026-28318** affecting **SolarWinds Serv-U** to the **KEV catalog** and ordered **FCEB agencies** to remediate it by **June 19, 2026**. The directive expands...
CISA KEV order for SolarWinds Serv-U CVE-2026-28318
Public Sector ActionAbout this happening: **CISA** added **CVE-2026-28318** affecting **SolarWinds Serv-U** to the **KEV catalog** and ordered **FCEB agencies** to remediate it by **June 19, 2026**. The directive expands...
SolarWinds Serv-U denial-of-service flaw actively exploited (CVE-2026-28318)
Vulnerability
H score73
First: 05.06.2026 22:15
Last: 05.06.2026 22:15
Sources 1
About this happening:
**CISA** added **CVE-2026-28318** affecting **SolarWinds Serv-U** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**. The **high-se...
SolarWinds Serv-U denial-of-service flaw actively exploited (CVE-2026-28318)
VulnerabilityAbout this happening: **CISA** added **CVE-2026-28318** affecting **SolarWinds Serv-U** to the **Known Exploited Vulnerabilities (KEV) catalog** after evidence of **active exploitation**. The **high-se...
Timeline
-
10.03.2026 08:17 1 articles · 4mo ago
CISA adds SolarWinds Web Help Desk CVE-2025-26399 to KEV
Legal Policy Action UpdateCISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
Show sources
- CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited — thehackernews.com — 10.03.2026 08:17
-
09.02.2026 16:42 2 articles · 5mo ago
Microsoft details SolarWinds WHD multi-stage intrusion
Technical Analysis UpdateMicrosoft says attackers exploited internet-exposed SolarWinds Web Help Desk (WHD) instances to gain unauthenticated remote code execution, then spawned PowerShell to use BITS for payload download and execution, brought in Zoho ManageEngine components for persistence, and used reverse SSH, RDP, DLL side-loading with wab.exe and sspicli.dll, LSASS dumping, and at least one DCSync attack to move toward higher-value assets.
Show sources
- SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers — thehackernews.com — 09.02.2026 16:42
- SolarWinds WHD Attacks Highlight Risks of Exposed Apps — www.darkreading.com — 11.02.2026 00:00