Summary: Following the disclosure on Feb 4th, Mandiant has confirmed that the deserialization flaw in SolarWinds Web Help Desk is now being exploited at scale by a new threat cluster tracked as “Void Manticore.” The attackers are deploying web shells to gain persistence within 20 minutes of initial access, specifically targeting unpatched government and MSP sectors.
Business Impact: Critical Emergency. This is no longer a theoretical risk. If your Web Help Desk is internet-facing and unpatched, you must assume compromise. Attackers are using this foothold to harvest credentials and pivot to domain controllers.
Why It Happened: The “Patch Gap” window was too wide. Many organizations delayed maintenance over the weekend, providing a 72-hour open window for automated exploitation scripts to scan and infect vulnerable servers.
Recommended Executive Action: Disconnect Immediately. Take any unpatched Web Help Desk instance offline. Do not just block ports; sever the connection. Initiate an Incident Response plan to hunt for “Godzilla” web shells in the `\helpdesk` directory.
Hashtags: #SolarWinds #SunBurn2 #VoidManticore #IncidentResponse #ZeroDay #CyberWarfare