Hackers are actively exploiting critical vulnerabilities in SolarWinds Web Help Desk (WHD) to install legitimate administrative software for harmful purposes. In observed incidents, attackers have used these flaws to deploy Zoho ManageEngine’s remote access tool and establish persistence through Cloudflare tunnels. They also installed the Velociraptor digital forensics platform to function as a command-and-control system.
Security analysts at Huntress identified this activity, linking it to a campaign starting in mid-January that leverages two recently patched vulnerabilities, CVE-2025-40551 and CVE-2025-26399. These flaws allow unauthorized remote code execution. Microsoft has also noted intrusions targeting internet-exposed WHD instances.
After breaching a system, the threat actors install a Zoho Assist agent, enabling them to perform hands-on reconnaissance and deploy other tools. They utilized an outdated version of Velociraptor that contains a known privilege escalation vulnerability. For redundant access, they also set up Cloudflare tunnels and, in some cases, a scheduled task to create an SSH backdoor.
To avoid detection, the attackers disabled Windows Defender and the firewall via registry edits before downloading additional payloads. It is advised that administrators immediately update SolarWinds WHD to version 2026.1 or newer and restrict its admin interfaces from public internet access. Huntress has provided detection rules and indicators of compromise related to the tools used in these attacks.
Read more...