SolarWinds WHD Exploited in Intrusions; BeyondTrust Patches Critical RCE Flaw; Google Patches Looker Vulnerabilities

Microsoft researchers observed a multi-stage intrusion that occurred in December 2025, in which threat actors were able to move laterally within an organization after gaining initial access through flaws in internet-exposed SolarWinds Web Help Desk (WHD) instances. The targeted systems were vulnerable to the recently-disclosed CVE-2025-40551 (CVSS 9.8, untrusted data deserialization allowing remote code execution) and CVE-2025-40536 (CVSS 9.8, security control bypass allowing access to a restricted functionality), but were also vulnerable to an older flaw, CVE-2025-26399 (CVSS 9.8, AjaxProxy deserialization allowing remote code execution), making it difficult to determine which vulnerabilities were specifically exploited. Once attackers compromised a WHD instance, they spawned PowerShell and used Background Intelligent Transfer Service (BITS) to download and launch a legitimate remote management program, then conducted reconnaissance on notable users and groups, and established persistence with reverse SSH and RDP access. "In at least one case, activity escalated to DCSync from the original access host, indicating use of high‑privilege credentials to request password data from a domain controller." The researchers highlight that this is "a common but high-impact pattern: [that] a single exposed application can provide a path to full domain compromise," and emphasize the importance of "Defense in Depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers." Microsoft provides detections and hunting queries for Defender XDR, and offers recommendations for mitigation and defense: update SolarWinds WHD to at least 2026.1, remove public access to admin paths, increase logging on Ajax Proxy, remove any unauthorized remote monitoring and management (RMM) software and artifacts, rotate credentials, and isolate compromised hosts.

A critical OS command injection vulnerability in BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) could be exploited to achieve remote code execution. Both products are available to be deployed on-premises or in the cloud. BeyondTrust addressed the issues in cloud versions earlier this month; users running on premises versions are urged to manually update to Remote Support 25.3.2 or later, and to Privileged Remote Access 25.1.1 or later if they do not have automatic updates enabled. The vulnerability was detected and disclosed to BeyondTrust by researchers at Hacktron, who observed roughly 8,500 internet-facing on-premises Remote Support deployments.

Researchers at Tenable detected a pair of flaws in Google Looker business intelligence and data analytics platform that could be chained and exploited "to completely compromise a Looker instance." Tenable has dubbed the SQL injection vulnerability LookOut (CVE-2025-12743). Google addressed the vulnerabilities for Looker-hosted instances in late September 2025. Self-hosted Looker instances need to be updated to versions 25.12.30+, 25.10.54+, 25.6.79+, 25.0.89+, or 24.18.209+. The vulnerabilities do not affect Looker releases 25.14 and above. Google Looker is used by an estimated 60,000 organizations.

The US House Committee on Energy and Commerce Energy Subcommittee has unanimously passed five cybersecurity-related bills, which now move to full committee before moving to a House floor vote. The Energy Emergency Leadership Act would assign Department of Energy (DoE) Assistant Secretaries responsibilities of energy emergency and energy security functions, including "responsibilities with respect to energy infrastructure, security and resilience, emerging threats, cybersecurity, supply, and emergency planning and preparedness, coordination, response, and restoration, as appropriate," as well as providing "technical assistance and support to protect against, detect, and respond to energy security threats, risks, and incidents" as requested by a State, local, or Tribal government or energy sector entity. The Rural and Municipal Utility Cybersecurity Act would authorize $250 million in funding across fiscal years 2026–2030 for the Rural and Municipal Utility Advanced Cybersecurity Grant and Technical Assistance Program. The Securing Community Upgrades for a Resilient Grid (SECURE Grid) Act would require consideration of the security of local distribution systems in State energy security plans. The Pipeline Cybersecurity Preparedness Act would direct DoE to create and establish a program that enhances the physical security and cybersecurity for pipelines and liquefied natural gas facilities. And the Energy Threat Analysis Center (ETAC) Act of 2026 would reauthorize DoE’s Energy Sector Operational Support for Cyberresilience Program.

Business software provider SmarterTools has disclosed a network breach that occurred on January 29, 2026. The company's own product, SmarterMail, was compromised on an employee's VM that was not being updated. Upon detecting the breach, SmarterTools shut off all its servers at affected locations and disabled internet access until investigation was complete, though notably their "website, shopping cart, My Account portal, and several other services remained online" during mitigation, thanks to isolated networks. The breach affected 12 Windows servers at the SmarterTools office and at a data center containing QC labs and hosting "[the company] Portal as well as our Hosted SmarterTrack network, which was connected via Active Directory." Affected servers were restored from recent backups, and the company's Linux servers were not affected. The announcement provides indicators of compromise (IoCs), and credits Sentinel One's effectiveness at "detecting vulnerabilities and preventing servers from being encrypted." SmarterTools confirmed that the attacker was the Warlock Group, known for Ransomware as a Service (RaaS), noting that the group typically gains access, installs files, and waits six or seven days before attempting to take control of Active Directory and encrypt systems. "This explains why some customers experienced a compromise even after updating—the initial breach occurred prior to the update, but malicious activity was triggered later." Since the attack, SmarterTools has eliminated Windows and Active Directory services from its networks and has replaced all passwords. SmarterMail Build 9518 contains fixes for CVE-2026-23760, CVE-2026-24423, and CVE-2025-52691, all known to be exploited by late January, and Build 9526 contains additional recent improvements and fixes.

In the wake of Ivanti's late January 2026 announcement of exploited critical flaws in Endpoint Manager Mobile (EPMM), multiple European organizations have reported compromises. On February 6, two Dutch state officials wrote to their parliament to disclose a compromise of both the Dutch Data Protection Authority (AP) and Judicial Council (RVDR) involving exploitation of Ivanti EPMM vulnerabilities. The organizations undertook security measures after detecting the breach, but employee names, business email addresses, and phone numbers were accessed by an unauthorized third party; those affected have been notified directly. RVDR has submitted a breach report to AP, and AP has submitted a report to its own data protection officer. The Dutch office of the CIO is continuing to investigate for possible broader impact within the central government. On February 5, the European Commission published a press release disclosing a breach of "central infrastructure managing mobile devices ... which may have resulted in access to staff names and mobile numbers of some [Commission] staff members," stating that the incident was contained and the system cleaned within nine hours, with no apparent compromise of mobile devices. Ivanti EPMM is not mentioned by name. CERT-EU, governed by the Interinstitutional Cybersecurity Board (IICB), detected the attack on January 30, and is continuing to investigate. Finland's government agency in charge of information technology (Valtori) also disclosed a January 30 breach of their "mobile device management service [...] exploit[ing] a vulnerability in a commercial software product." The breach compromised data belonging to approximately 50,000 devices within certain government ICT services, including names, work email addresses, phone numbers, and device details. Similarly, it does not appear that the devices themselves were compromised. Valtori applied patches once they became available, isolated the device management service from the network, and will provide organization-specific information as investigation continues. CVE-2026-1281 and CVE-2026-1340 both carry CVSS score 9.8, and both allow an unauthenticated attacker to achieve remote code execution through code injection. Customers should follow Ivanti's instructions and syntax to properly apply the RPM patch script appropriate to their system.

Late last week, Florida-based payment technology provider BridgePay Network Solutions suffered a ransomware attack that disrupted the availability of the company's services. Local governments and small businesses that use BridgePay have been unable to process credit card payments. At least one city has posted online that they can accept board payments in person. Affected services include BridgePay Gateway API (BridgeComm), PayGuardian Cloud API, MyBridgePay virtual terminal and reporting, Hosted payment pages, and PathwayLink gateway and boarding portals. BridgePay is investigating the incident with the help of third-party specialists and law enforcement; there is currently no estimated time of system restoration.

State legislators in New York have introduced a bill that would put a three-year moratorium on issuing permits for data center development in the state. The three-year period is intended to allow time for conducting impact assessments, including water, electricity, and gas usage, and time for updating regulations. At least five other US states, including Georgia, Maryland, Oklahoma, Vermont, and Virginia, have recently introduced similar legislation. At the local level, at least 14 towns and counties have issued data center development pauses. There are currently more than 130 data centers in the state of New York, with more under construction.

German health insurance provider AOK Bayern has notified a subset of its policyholders that their electronic patient records (ePA) were inadvertently temporarily closed. The incident was caused by an error on the part of IT service providers involved in a planned system update. AOK Bayern serves patients in Bavaria, and the incident affected approximately 6,400 records. The organization is working to restore the content of the closed files. In a letter sent to patients, AOK Bayern writes "If you urgently need your previous documents, please contact your doctor's office, hospital, or pharmacy."