{"id":211712,"date":"2026-02-09T09:42:00","date_gmt":"2026-02-09T14:42:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/09\/solarwinds-web-help-desk-exploited-for-rce-in-multi-stage-attacks-on-exposed-servers\/"},"modified":"2026-02-09T16:05:07","modified_gmt":"2026-02-09T21:05:07","slug":"solarwinds-web-help-desk-exploited-for-rce-in-multi-stage-attacks-on-exposed-servers","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/09\/solarwinds-web-help-desk-exploited-for-rce-in-multi-stage-attacks-on-exposed-servers\/","title":{"rendered":"SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers"},"content":{"rendered":"

SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers<\/a><\/p>\n

https:\/\/thehackernews.com\/2026\/02\/solarwinds-web-help-desk-exploited-for.html<\/a><\/p>\n

Publish Date: 2026-02-09 09:42:00<\/a><\/p>\n

Source Domain: thehackernews.com<\/a><\/p>\n

\ue804Ravie Lakshmanan<\/span>\ue802Feb 09, 2026<\/span><\/span>Vulnerability \/ Endpoint Security<\/span><\/p>\n

Microsoft has revealed that it observed a multi\u2011stage intrusion that involved the threat actors exploiting internet\u2011exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization’s network to other high-value assets.<\/p>\n

That said, the Microsoft Defender Security Research Team said it’s not clear whether the activity weaponized recently disclosed flaws (CVE-2025-40551, CVSS score: 9.8, and CVE-2025-40536, CVSS score: 8.1), or a previously patched vulnerability (CVE-2025-26399, CVSS score: 9.8).<\/p>\n

“Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” the company said in a report published last week.<\/p>\n

While CVE-2025-40536 is a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality, CVE-2025-40551 and CVE-2025-26399 both refer to untrusted data deserialization vulnerabilities that could lead to remote code execution.<\/p>\n

Last week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies were ordered to apply the fixes for the flaw by February 6, 2026.<\/p>\n

In the attacks detected by Microsoft, successful exploitation of the exposed SolarWinds WHD instance allowed the attackers to achieve unauthenticated remote code execution and run arbitrary commands within the WHD application context.<\/p>\n

\"\"<\/p>\n

“Upon successful exploitation, the compromised service of a WHD instance spawned PowerShell to leverage BITS [Background Intelligent Transfer Service] for payload download and execution,” researchers Sagar Patil, Hardik Suri, Eric Hopper, and Kajhon Soyini…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on Exposed Servers https:\/\/thehackernews.com\/2026\/02\/solarwinds-web-help-desk-exploited-for.html Publish…<\/p>\n","protected":false},"author":1,"featured_media":211713,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1coFDcJGaV6fnBzpBs3TXSas4-odFMjYTlXPM-cyQcpzDyCshc0pH8HMEo1XmNUoVPRU4J56lg3ApR_-KpFn8L6aiATW4A5Xx_cIUbCYO1MI9W6lTiW-vlJWPK7Bc-SkXNcjQ-CnP7_HCOwhRYn1HsJnuE6sCOQZ6S4m-LC3zySGT_mHorlhwwJA4SLlO\/s1600\/1000054453.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-211712","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211712"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=211712"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211712\/revisions"}],"predecessor-version":[{"id":211714,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/211712\/revisions\/211714"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/211713"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=211712"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=211712"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=211712"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}