On February 7, 2026, malicious actors carried out a complex multi-stage cyber attack. They were able to use flaws in SolarWinds Web Help Desk (WHD) instances to implement their scheme. In this specific attack, the attackers used several security vulnerabilities to fuel their bad actors. Interestingly, they used CVE-2025-40536, CVE-2025-40551, and CVE-2025-26399 as initial access vectors. These vulnerabilities allowed attackers to gain access to privileged features. They opened doors for remote code execution, resulting in a more systemic compromise.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog. Passing this action is a resounding call to act on these security problems before they are too late. Microsoft tracked the attacks and relayed their detection back to law enforcement. This is particularly because they found that internet-exposed SolarWinds WHD instances were unusually vulnerable to exploitation.
Attack Vector and Techniques
The attackers started their breach by taking advantage of vulnerabilities in SolarWinds WHD. They imported a legitimate system executable (called wab.exe) to initiate execution of a malicious dynamic link library (DLL) file like “sspicli.dll.” This approach was mainly focused on credential theft, resulting in the threat actors being able to steal valuable information from affected systems.
To further keep their persistence inside their target networks, the threat actors used Zoho Meetings and Cloudflare tunnels. These tools made it possible to maintain access even if initial detection attempts were unsuccessful. Further, they used Velociraptor, a real forensics tool, to conduct C2 operations.
“In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms.” – thehackernews.uk
In Microsoft’s report, it was noted that the attacks had started as early as December 2025. The specific vulnerability they exploited to gain initial access is still unclear. “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” a representative from Microsoft stated.
The DCSync Attack and Credential Harvesting
As an emergency process during their operation, the threat actors performed a DCSync attack on AD database. This technique allowed them to request password hashes and other sensitive data from the AD environment. Gaining access to this data greatly increases the attackers’ potential to move laterally within a compromised network. This behind-the-scenes maneuvering usually leads to more compromises.
The attackers in fact used an out dated version of Velociraptor (0.73.4) which had a known privilege escalation vulnerability (CVE-2025-6264). At the time, this oversight inadvertently provided them with greater capabilities inside the infected ecosystems, creating significantly greater challenges for detection and mitigation.
Jamie Levy, director of adversary tactics at cyber firm Huntress, suggested a strong linkage. She thinks this campaign could be connected to past campaigns related to the Warlock ransomware group. “We saw one customer come on after they had been compromised and ransomed, cementing our suspicions even further,” Levy noted.
Implications and Recommendations
The repercussions of these vulnerabilities and eventual attacks are far-reaching. This particular incident demonstrates a growing and troubling trend. An individual exposed application can quickly turn into an entry point for complete domain takeover if we allow vulnerabilities to go unpatched or under-monitored.
Microsoft has long had an interest in these type of issues, advocating for strong security practices and regular patching to avoid these kinds of dangers. “This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored,” they remarked.
As organizations continue to face evolving cyber threats, experts recommend implementing stringent security protocols, including regular vulnerability assessments and timely patch management. They simply incentivize employees to take awareness training. This training prepares them to identify emerging risks through odd behaviors in their network ecosystems.
