SolarWinds Web Help Desk (WHD) has been under attack, with intruders exploiting vulnerabilities to steal high-privilege credentials. The attackers remain unknown, and the exact method of exploitation is still a mystery. Microsoft researchers have identified two critical vulnerabilities in WHD: CVE-2025-40551 and CVE-2025-40536, both of which could allow remote code execution and unauthorized access. However, the threat hunters cannot confirm if these vulnerabilities were the primary entry points, as the attacks occurred in December 2025 on machines vulnerable to both old and new CVEs. SolarWinds has also patched CVE-2025-26399, a critical flaw that allowed remote attackers to run commands on host machines, but it took three attempts to get the patch right. The attackers used a technique called 'living off the land' by exploiting legitimate Windows features like BITS for payload download and execution. They also installed Zoho ManageEngine, a remote monitoring tool, to gain long-term control. The intruders enumerated sensitive domain users and groups, established reverse SSH and RDP access, and used DLL sideloading to steal credentials. Security experts advise applying WHD patches and removing public access to admin paths. Additionally, security teams should scan for and remove unauthorized RMM tools and rotate credentials, especially for service and admin accounts accessible via WHD.