SolarWinds Web Help Desk Exploitation - February 2026

On February 6, 2026, Microsoft reported active exploitation of Internet-facing SolarWinds Web Help Desk servers (initial activity from Dec 2025) leveraging one or more disclosed CVEs (CVE-2025-26399, CVE-2025-40536, CVE-2025-40551). Post-exploitation activity included installing remotely hosted MSI RMM agents and legitimate tools (Velociraptor, Cloudflared), disabling Defender, setting up QEMU-based scheduled-task tunnels for persistent SSH access, and credential dumping including extraction of NTDS.dit; the report includes Elastic SIEM/Defend detections, prevention artifacts, and recommendations to patch, rotate credentials, review hosts, and remove unauthorized RMM usage.