Multiple Critical Vulnerabilities and Active Exploitation Across SolarWinds WHD and Ivanti EPMM
Microsoft Defender researchers reported a multi-stage intrusion campaign exploiting internet-exposed SolarWinds Web Help Desk (WHD) servers to establish stealthy persistence and enable lateral movement toward broader domain compromise. After initial access, attackers created a scheduled task to start a hidden QEMU virtual machine under SYSTEM, using QEMU port forwarding (e.g., hostfwd=tcp::22022-:22) to provide a concealed SSH access path. The activity also included credential-theft tradecraft via DLL sideloading, abusing wab.exe to load a malicious sspicli.dll, enabling access to LSASS memory while attempting to evade common detections.
Separately, active exploitation was reported against Ivanti Endpoint Manager Mobile (EPMM) appliances following disclosure of two critical flaws—CVE-2026-1281 (authentication bypass) and CVE-2026-1340 (remote code execution)—with intrusions observed dropping an artifact at /mifs/403.jsp. The observed payloads differed from typical interactive webshells: attackers delivered a Base64-encoded Java class (with CAFEBABE header) acting as a dormant in-memory class loader (e.g., base.Info compiled from Info.java) that waits for a later activation request to load and execute a second-stage class in memory, including an unusual entry point using equals(Object) rather than standard servlet handlers. In parallel with these exploitation reports, two unrelated critical vulnerability disclosures were highlighted: Keylime registrar misconfiguration (CVE-2026-1709, CVSS 9.4) that effectively disables mTLS client certificate enforcement (affected versions 7.12.0–7.13.0), and a Microsoft Semantic Kernel .NET SDK arbitrary file write (CVE-2026-25592, CVSS 10.0) in SessionsPythonPlugin (DownloadFileAsync/UploadFileAsync) that can allow overwriting files via insufficient path validation.
Timeline
Feb 10, 2026
Microsoft publishes findings and mitigation guidance for WHD campaign
Microsoft Defender Research disclosed the SolarWinds WHD campaign and advised organizations to patch WHD, restrict public exposure of administrative paths, and hunt for QEMU-based persistence and unauthorized remote management artifacts.
Feb 9, 2026
Shadowserver reports 56 Ivanti EPMM IPs compromised
Shadowserver separately observed webshell deployment on Ivanti EPMM devices and reported 56 IP addresses as compromised. The finding indicated active exploitation at measurable scale.
Feb 9, 2026
Attackers deploy dormant in-memory backdoors on Ivanti EPMM devices
Attackers were observed exploiting Ivanti EPMM appliances to drop a Base64-encoded Java class at /mifs/403.jsp that functioned as an in-memory class loader awaiting later activation. Defusedcyber verified the loader deployment without second-stage execution, indicating an implant-now-operate-later approach.
Feb 9, 2026
Critical Ivanti EPMM vulnerabilities are disclosed
Two critical Ivanti Endpoint Manager Mobile vulnerabilities, CVE-2026-1281 and CVE-2026-1340, were disclosed prior to active exploitation being reported. These flaws enabled unauthenticated access to exposed EPMM appliances.
Dec 1, 2025
QEMU VM persistence and credential theft used on breached WHD servers
After compromising SolarWinds WHD, attackers created a scheduled task to launch a hidden QEMU virtual machine as SYSTEM and used port forwarding for covert SSH access. The campaign also used DLL sideloading and LSASS access for credential theft, and in at least one case enabled a DCSync attack for domain password replication.
Dec 1, 2025
Attackers compromise SolarWinds WHD servers in multi-stage campaign
Microsoft Defender Research observed a sophisticated intrusion campaign targeting internet-exposed SolarWinds Web Help Desk servers in December 2025. Attackers gained initial access through an unconfirmed vulnerability amid multiple concurrent WHD flaws.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
Related Stories
Active Exploitation of Ivanti EPMM Zero-Day RCE Vulnerabilities
**Ivanti Endpoint Manager Mobile (EPMM)** is being actively exploited via two critical, unauthenticated remote code execution vulnerabilities, **CVE-2026-1281** and **CVE-2026-1340** (both reported as CVSS 9.8). Reporting describes attackers achieving full control of exposed EPMM/MDM infrastructure, including establishing reverse shells, deploying web shells, performing reconnaissance, and downloading additional malware; activity has been observed across multiple countries and sectors (including government, healthcare, manufacturing, and technology). **CISA added CVE-2026-1281 to the Known Exploited Vulnerabilities (KEV) Catalog**, and defenders are urged to apply Ivanti’s available fixes/updates per the vendor advisory. Telemetry and threat-intel observations indicate broad internet exposure and automation in exploitation. Unit 42 reported visibility into **4,400+** EPMM instances, and noted threat actors shifting from initial exploitation toward **dormant backdoors** intended to preserve access even after patching. GreyNoise data highlighted that a large share of observed exploitation traffic (reported as **83%**) originated from a single IP, `193.24.123.42`, associated with “bulletproof” hosting, with attackers rotating user-agent strings consistent with mass scanning/exploitation; the same infrastructure was also linked to attempts against other products (e.g., Oracle WebLogic, `telnetd`, and GLPI).
1 months ago
CISA Flags Actively Exploited SolarWinds Web Help Desk Flaw as Metasploit Adds Exploit Modules
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, including a critical **SolarWinds Web Help Desk (WHD)** security protection bypass tracked as `CVE-2025-40536` (CVSS 9.8). The issue stems from flawed CSRF-check logic that relies on a whitelist of query parameters, which can be bypassed with crafted URI parameters to reach restricted functionality without authentication; SolarWinds patched the flaw in *WHD 2026.1*. CISA set an accelerated remediation deadline for U.S. Federal Civilian Executive Branch agencies, and Microsoft separately reported an active campaign targeting SolarWinds WHD but did not confirm whether `CVE-2025-40536` was the specific vulnerability exploited. Rapid7 reported that **Metasploit added exploit module support for SolarWinds WHD vulnerabilities `CVE-2025-40536` and `CVE-2025-40551`**, enabling post-exploitation sessions running as `NT AUTHORITY\SYSTEM` when successful. This increases operational risk for unpatched environments by lowering the barrier to exploitation and reinforces the urgency of applying SolarWinds’ available fixes and validating exposure of WHD instances, particularly those reachable from untrusted networks.
1 months ago
Active Exploitation of Critical Enterprise Software Vulnerabilities Added to CISA KEV
Multiple **critical, unauthenticated remote code execution and authentication-bypass vulnerabilities** in widely deployed enterprise products were reported as **actively exploited** and, in several cases, added to CISA’s **Known Exploited Vulnerabilities (KEV)** catalog. SmarterTools *SmarterMail* is being targeted in **ransomware** activity via **CVE-2026-24423**, an unauthenticated RCE caused by missing authentication on the `ConnectToHub` API (`/api/v1/settings/sysadmin/connect-to-hub`), where an attacker-controlled server can return JSON containing a `CommandMount` value that drives arbitrary command execution; the issue affects versions prior to `v100.0.9511`. Separately, SolarWinds *Web Help Desk* is affected by **CVE-2025-40551** (CVSS 9.8), a **deserialization of untrusted data** flaw in the `AjaxProxy` component enabling remote, unauthenticated command execution; CISA added it to KEV amid in-the-wild exploitation and set an accelerated patch deadline for US federal agencies. In parallel, Fortinet environments using **FortiCloud SSO** face authentication-bypass risk from **CVE-2025-59718**, **CVE-2025-59719**, and **CVE-2026-24858**, which can allow an attacker with a FortiCloud account to log into organizations’ **FortiOS, FortiManager, FortiAnalyzer, FortiProxy, and FortiWeb** if SSO is enabled; Kaspersky published **SIEM correlation rules** to detect related suspicious logins and admin actions. Samsung *MagicInfo 9 Server* (digital signage management) was also reported with a trio of severe flaws affecting versions prior to `21.1090.1`, including **CVE-2026-25202** (hardcoded credentials, CVSS 9.8) and **CVE-2026-25201** (unauthenticated arbitrary file upload leading to RCE, CVSS 8.8), creating risk of server takeover and potential network compromise; the article does not indicate KEV inclusion or confirmed exploitation for these MagicInfo issues.
1 months ago