Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SolarWinds Web Help Desk (WHD) multi-stage exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 63
2 unique sources, 3 articles

Summary

Hide ▲

SolarWinds Web Help Desk (WHD) exploitation is a multi-stage intrusion wave affecting internet-exposed WHD instances. The foothold remains unconfirmed, but the wave is tied to CVE-2025-40551, CVE-2025-40536, and CVE-2025-26399. Microsoft and Huntress reported threat actors using WHD flaws for initial access, and CISA later added CVE-2025-26399 to its KEV catalog after evidence of active exploitation. Post-exploitation activity included PowerShell, BITS, reverse SSH/RDP, LSASS credential theft, and DCSync attempts.

Related Happenings

Microsoft SharePoint remote code execution (CVE-2026-45659)

Vulnerability
First: 26.05.2026 14:49 Last: 26.05.2026 14:49 Sources 1

About this happening: **Microsoft SharePoint** **CVE-2026-45659** is a **remote code execution** vulnerability that lets an **authenticated attacker** with **Site Member** permissions run code over the...

Open Happening

Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)

Vulnerability
First: 21.05.2026 10:49 Last: 21.05.2026 10:49 Sources 1

About this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...

Open Happening

Windows ikeext.dll double-free RCE (CVE-2026-33824)

Vulnerability
First: 13.05.2026 16:46 Last: 13.05.2026 16:46 Sources 1

About this happening: **CVE-2026-33824** is a **double-free flaw** in **Windows ikeext.dll** that can let an **unauthenticated attacker** trigger **remote code execution** on systems with **IKEv2** ena...

Open Happening

Windows Netlogon stack-based buffer overflow security flaw (CVE-2026-41089)

Vulnerability
First: 13.05.2026 11:15 Last: 13.05.2026 11:15 Sources 1

About this happening: Microsoft’s **May Patch Tuesday** fixed **CVE-2026-41089**, a **critical** stack-based buffer overflow in **Windows Netlogon** that could let attackers gain **system privileges**...

Open Happening

Windows Shell spoofing flaw actively exploited (CVE-2026-32202)

Vulnerability
First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: **Microsoft** updated **Windows Shell** advisory guidance to confirm **CVE-2026-32202** was **actively exploited in the wild**, raising the risk of sensitive-information disclosur...

Open Happening

Timeline

  1. 10.03.2026 08:17 1 articles · 2mo ago

    CISA adds SolarWinds Web Help Desk CVE-2025-26399 to KEV

    Legal Policy Action Update

    CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.

    Show sources
    Open in new tab
  2. 09.02.2026 16:42 2 articles · 3mo ago

    Microsoft details SolarWinds WHD multi-stage intrusion

    Technical Analysis Update

    Microsoft says attackers exploited internet-exposed SolarWinds Web Help Desk (WHD) instances to gain unauthenticated remote code execution, then spawned PowerShell to use BITS for payload download and execution, brought in Zoho ManageEngine components for persistence, and used reverse SSH, RDP, DLL side-loading with wab.exe and sspicli.dll, LSASS dumping, and at least one DCSync attack to move toward higher-value assets.

    Show sources
    Open in new tab