Someone's attacking SolarWinds WHD to steal high‑privilege credentials - but we don't know who or how

Digital intruders exploited buggy SolarWinds Web Help Desk (WHD) instances in December to break into victims' IT environments, move laterally, and steal high-privilege credentials, according to Microsoft researchers.

But one mystery remains: which flaw in the popular help-desk ticketing app did the unknown miscreants abuse in these attacks?

"We have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399," the threat hunters said in a Friday blog. "Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold."

Redmond's team said it continues to investigate the intrusions and will update the analysis as they learn more. The researchers ...