Someone’s attacking SolarWinds WHD – but which bug? • The Register

https://www.theregister.com/2026/02/09/solarwinds_mystery_whd_attack/

Publish Date: 2026-02-09 16:54:00

Digital intruders exploited buggy SolarWinds Web Help Desk (WHD) instances in December to break into victims’ IT environments, move laterally, and steal high-privilege credentials, according to Microsoft researchers.

But one mystery remains: which flaw in the popular help-desk ticketing app did the unknown miscreants abuse in these attacks?

“We have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399,” the threat hunters said in a Friday blog. “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold.”

Redmond’s team said it continues to investigate the intrusions and will update the analysis as they learn more. The researchers declined to answer The Register’s inquiries about these attacks, including how many organizations’ WHD instances had been compromised.

SolarWinds did not immediately respond to our request for comment.

CVE-2025-40551 is a critical untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. It earned a 9.8 CVSS rating, and about a week after the vendor issued a security advisory urging customers to patch the vulnerability, the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog and gave federal agencies just three days to patch the security hole.

At the same time, SolarWinds patched CVE-2025-40536, a high-severity (8.1 CVSS) security control bypass vulnerability that can allow an unauthenticated attacker to…

Source