SolarWinds Six Years Later: The Same Open Doors, the Same Exploitable Trust Failures—And Why History Is Poised to Repeat + Video

Listen to this Post

Featured Image

Introduction:

Six years after the SolarWinds Orion supply-chain attack—the most consequential cyber incident in history, affecting 18,000 organisations including the U.S. Treasury, State Department, and Homeland Security—a longitudinal assessment spanning March 2020 to June 2026 reveals that the same attack pathways remain unsecured on SolarWinds infrastructure today. Persistent certificate trust failures, browser “Not secure” authentication surfaces, SSL Labs T ratings, and DNSSEC insecurity are not isolated anomalies; they represent repeated, observable trust-control weaknesses that adversaries actively exploit to position themselves inside supplier networks. The attack surface that enabled state-level tradecraft to weaponize SolarWinds’ Orion updates has never been secured—and this is not simply a configuration issue but a foundational governance failure.

Learning Objectives:

  • Understand the persistent certificate and DNS trust failures that continue to expose SolarWinds and similar vendors to supply-chain compromise.
  • Learn to verify and harden certificate validation, DNSSEC, and code-signing controls using practical Linux/Windows commands and configuration audits.
  • Implement proactive attack surface management (ASM) and continuous monitoring workflows to detect and remediate trust-control weaknesses before adversaries exploit them.
  1. The Certificate Trust Crisis: Expired Certs, Broken Chains, and MITM Exposure

The post’s attached report evidences that SolarWinds infrastructure was observed with expired TLS certificates, triggering browser security warnings and SSL Labs T ratings—a critical failure in maintaining the trust and integrity of services. An expired certificate breaks the chain of trust, can cause service outages, and opens the door to man-in-the-middle (MITM) attacks where traffic can be intercepted or spoofed. This is compounded by the fact that SolarWinds Platform 2026.2 installations and upgrades have been failing due to missing root certificates in the Windows Trusted Root Certification Authorities store, preventing the server from validating the certificate chain.

Step‑by‑step guide: Certificate inventory, validation, and remediation

Step 1: Discover and inventory all TLS/SSL certificates across your infrastructure

You cannot secure what you do not know. Use openssl and nmap to enumerate certificates on your hosts.

 Linux: Get certificate details for a specific host
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -1oout -dates -subject

Check certificate expiry for multiple hosts
for host in $(cat hostlist.txt); do
echo -1 "$host: "
echo | openssl s_client -servername $host -connect $host:443 2>/dev/null | openssl x509 -1oout -enddate
done

Use nmap to scan a network range for certificates
nmap --script ssl-cert -p 443 192.168.1.0/24

Step 2: Validate the entire certificate chain

Ensure that all certificates in the chain are trusted and that no root certificates are missing—a known issue in SolarWinds 2026.2 deployments.

 Verify the full certificate chain
openssl s_client -connect yourdomain.com:443 -showcerts -servername yourdomain.com

Check if the certificate is trusted by the system
openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt certificate.pem

Step 3: Implement automated monitoring and renewal

Configure alerts to trigger at 30, 14, and 7 days before expiry. Use ACME protocol with Let’s Encrypt for automated renewal where possible.

 Test certificate renewal (Certbot)
sudo certbot renew --dry-run

Check automated renewal timer status
sudo systemctl status certbot.timer

Windows: Check certificate in local machine store
Get-ChildItem -Path Cert:\LocalMachine\My | Format-Table Subject, NotAfter, Thumbprint

Step 4: Remediate missing root certificates (Windows)

For SolarWinds Platform 2026.2 upgrade failures caused by missing root certificates:

 List trusted root certificates
Get-ChildItem -Path Cert:\LocalMachine\Root

Import missing root certificate (obtain from your CA or SolarWinds documentation)
Import-Certificate -FilePath "C:\path\to\root.cer" -CertStoreLocation Cert:\LocalMachine\Root
  1. DNSSEC Insecurity: The Broken Chain of Trust in DNS

The post explicitly calls out “DNSSEC insecurity” as a persistent exposure. Despite threat intelligence shared with SolarWinds leading them to sign their TLD in 2021, inconsistent deployment persists across subdomains and record types. An attacker can spoof an unsigned A record for a subdomain (e.g., api.solarwinds.com), redirecting traffic to a malicious server while the apex signature remains valid. This breaks the chain of trust and enables cache poisoning and MITM attacks.

Step‑by‑step guide: DNSSEC verification and hardening

Step 1: Verify DNSSEC status for apex and subdomains (Linux/macOS)

 Check DNSSEC for apex domain - look for "ad" flag (authenticated data) and RRSIG records
dig +dnssec example.com A

Check DNSSEC for subdomains - many organizations sign only the apex
dig +dnssec subdomain.example.com A
dig +dnssec mail.example.com MX

Validate entire chain using delv
delv @8.8.8.8 api.example.com A +vtrace

Step 2: DNSSEC verification using Windows PowerShell

 Check DNSSEC status (look for DnssecStatus property)
Resolve-DnsName -1ame example.com -Type A -DnsOnly | Format-List

Check subdomain with specific DNS server
Resolve-DnsName -1ame subdomain.example.com -Type A -Server 1.1.1.1

Step 3: Configure DNSSEC on BIND (Linux)

 Generate DNSSEC keys for your zone
dnssec-keygen -a ECDSAP256SHA256 -b 256 -1 ZONE example.com
dnssec-keygen -a ECDSAP256SHA256 -f KSK -1 ZONE example.com

Sign the zone
dnssec-signzone -A -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -o example.com -t db.example.com

Add to named.conf
zone "example.com" {
type master;
file "db.example.com.signed";
auto-dnssec maintain;
inline-signing yes;
};

Step 4: Configure DNSSEC on AWS Route53 (cloud environments)

 Enable DNSSEC signing for a hosted zone using AWS CLI
aws route53 enable-hosted-zone-dnssec --hosted-zone-id Z1234567890

Create key-signing key (KSK)
aws route53 create-key-signing-key --hosted-zone-id Z1234567890 --key-signing-key-1ame example-ksk
  1. Code-Signing Governance Failure: The Attack That Never Needed a Stolen Key

The SolarWinds SUNBURST malware did not exploit a cryptographic weakness—it exploited the build pipeline. The trojanized `SolarWinds.Orion.Core.BusinessLayer.dll` carried a valid Authenticode signature chained to SolarWinds’ legitimate code-signing certificate issued by Symantec. Every Windows host validated that signature and accepted the binary because, by every cryptographic measure, it was authentic. The attackers modified the build environment (not the source repository), with an implant called SUNSPOT monitoring build processes, swapping malicious code during compilation, and restoring the original file afterward—so source control showed no diff. The signing key did exactly what it was designed to do: sign whatever the build server presented to it.

Step‑by‑step guide: Code-signing governance and build-pipeline hardening

Step 1: Enforce HSM-backed signing keys with provable custody

Production code-signing keys must live inside a FIPS 140-3 Level 3 hardware security module (HSM). No signing key material should ever exist in software form on build servers.

 Linux: Verify that signing occurs via HSM (example with pkcs11-tool)
pkcs11-tool --module /usr/lib/libcloudhsm.so --list-objects --type privkey

Verify that the signing certificate is hardware-backed
certutil -key -csp "Microsoft Base Smart Card Crypto Provider"

Step 2: Implement build-pipeline integrity monitoring

 Monitor build processes for unauthorized modifications (Linux)
inotifywait -m -r -e modify,create,delete /path/to/build/source/

Windows: Enable build pipeline auditing via PowerShell
 Monitor file changes in build directories
$watcher = New-Object System.IO.FileSystemWatcher
$watcher.Path = "C:\Build\Source"
$watcher.Filter = "."
$watcher.EnableRaisingEvents = $true
Register-ObjectEvent $watcher "Changed" -Action { Write-Host "File changed: $($Event.SourceEventArgs.FullPath)" }

Step 3: Enforce code-signing policy with anomaly detection

 Windows: Verify Authenticode signature and check for anomalies
Get-AuthenticodeSignature -FilePath "C:\Path\to\Orion.Core.BusinessLayer.dll"

Check that the signing certificate is from a trusted issuer and hasn't been revoked
Get-AuthenticodeSignature -FilePath "C:\Path\to\file.dll" | Select-Object SignerCertificate, TimeStamperCertificate

Step 4: Implement NIST SP 800-218 (SSDF) controls

As mandated by the Secure Software Development Framework, implement controls including: (1) HSM-backed keys, (2) build pipeline integrity monitoring, (3) reproducible builds, (4) signed provenance attestations, and (5) continuous anomaly detection in the signing event itself.

4. Internet Asset Discovery and Attack Surface Reduction

Andy Jenkinson’s direct warning stressed: “If the Internet Assets are Not Secured, the chances of falling victim to cyber crime is greatly increased”. An unknown or unmanaged asset is a liability—and SolarWinds’ failure to maintain basic certificate hygiene across its internet-facing assets demonstrates this principle in action.

Step‑by‑step guide: External asset discovery and hardening

Step 1: Passive enumeration (attacker’s view)

 Use Amass for passive subdomain enumeration
amass enum -passive -d yourcompany.com

Use Subfinder for additional subdomain discovery
subfinder -d yourcompany.com -o subdomains.txt

Use theHarvester for email and domain discovery
theHarvester -d yourcompany.com -b google,bing

Step 2: Active scanning (authorized only)

 Scan discovered IP ranges for open ports and services
nmap -sV -O --top-ports 1000 -iL discovered_ips.txt

Use masscan for large-scale port scanning
masscan -p1-65535 --rate=1000 -iL discovered_ips.txt -oJ scan_results.json

Step 3: Internal reconciliation and tagging

Cross-reference externally discovered assets with your internal CMDB. Tag assets by criticality, data sensitivity, and exposure level. Remove or secure any asset not accounted for in your formal inventory.

5. Continuous Monitoring: The Antidote to Ignored Warnings

The post’s core indictment is not that SolarWinds had vulnerabilities—it’s that the same vulnerabilities remain unaddressed six years later. The SolarWinds Platform 2025.2 update introduced enforced SSL certificate validation on all outbound HTTPS connections, yet the 2026.2 upgrade fails due to missing root certificates. This pattern—introducing security controls that then break because of the very certificate hygiene failures they were designed to enforce—is a governance failure, not a technical one.

Step‑by‑step guide: Build a continuous monitoring workflow

Step 1: Centralize certificate and asset monitoring

Implement a dynamic inventory of all certificates (public and internal), including issuer, expiry date, and associated service. Use tools like CertSpotter, Let’s Monitor, or enterprise solutions from Venafi or HashiCorp Vault.

Step 2: Configure multi-stage alerts

Set alerts to trigger at 30, 14, and 7 days before expiry. Never rely on a single alert.

 Example: Simple certificate expiry alert script (Linux)
!/bin/bash
EXPIRY=$(echo | openssl s_client -servername $1 -connect $1:443 2>/dev/null | openssl x509 -1oout -enddate | cut -d= -f2)
EXPIRY_EPOCH=$(date -d "$EXPIRY" +%s)
DAYS_LEFT=$(( ($EXPIRY_EPOCH - $(date +%s)) / 86400 ))
if [ $DAYS_LEFT -lt 7 ]; then
echo "WARNING: Certificate for $1 expires in $DAYS_LEFT days"
 Send alert via webhook, email, or SIEM
fi

Step 3: Automate remediation where possible

 Automated renewal via certbot (Linux)
sudo certbot renew --quiet

Windows: Scheduled task for certificate renewal
 Create a scheduled task to run renewal scripts weekly

What Undercode Say:

  • Key Takeaway 1: The SolarWinds attack was never about broken cryptography—it was about broken trust governance. The same build-pipeline compromise that enabled SUNBURST in 2020 remains possible today because organizations continue to trust that a valid cryptographic signature guarantees a safe artifact. This is a failure of security architecture, not of cryptographic engineering.

  • Key Takeaway 2: Certificate and DNSSEC hygiene are not “nice-to-have” operational tasks—they are foundational security controls that adversaries actively probe and exploit. The fact that SolarWinds infrastructure still exhibits expired certificates and DNSSEC gaps six years after the most consequential supply-chain attack in history is not a technical oversight; it is a governance failure that signals to the entire industry that the lesson has not been learned.

  • Analysis: The post’s observation that “you are constantly being lied to, misled, and then made to pay at both the front and back end” cuts to the heart of the issue. Security vendors sell solutions, but the fundamental problem is that basic security hygiene—certificate management, DNSSEC, build-pipeline integrity—remains woefully neglected even by the vendors who should be setting the standard. The SolarWinds case is not an isolated incident; it is the norm. Until organizations treat certificate lifecycle management, DNSSEC deployment, and code-signing governance as non-1egotiable, first-principles security controls—audited and enforced at the board level—the same attack pathways will continue to be exploited. The question for every customer, organization, and government is urgent: if these pathways remain open, there is zero assurance that history will not repeat.

Prediction:

  • -1 The SolarWinds case demonstrates that even the most catastrophic cyber incidents fail to drive fundamental change in security governance when the incentives are misaligned. Expect continued supply-chain attacks exploiting the same trust-control weaknesses—expired certificates, unsigned subdomains, and build-pipeline compromises—over the next three to five years, as organizations prioritize feature velocity over security fundamentals.

  • -1 Regulatory pressure (NIST SP 800-218, EU Cyber Resilience Act) will increase, but enforcement will lag behind adversary capabilities. Organizations will continue to treat compliance as a checkbox exercise rather than a genuine security improvement, leaving the same attack surfaces exposed.

  • +1 The growing adoption of HSM-backed signing, reproducible builds, and signed provenance attestations (e.g., SLSA, in-toto) offers a genuine path forward. Organizations that embrace these controls early will build a defensible supply chain and gain a competitive advantage in trust and resilience.

  • -1 However, the majority will adopt these controls only after the next SolarWinds-scale breach—not before. The industry’s pattern of learning through catastrophe rather than prevention remains unchanged, and the cost will continue to be borne by customers, governments, and the broader digital ecosystem.

▶️ Related Video (70% Match):

https://www.youtube.com/watch?v=Arfk5uUm4qk

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Andy Jenkinson – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky