SolarWinds Web Help Desk Under Active Exploitation as Hackers Abuse Critical RCE Flaws

Listen to this Post

Featured Image

Introduction: A Silent Breach Vector Inside IT Help Desks

SolarWinds Web Help Desk (WHD), a widely deployed IT service management platform, has become the latest focal point for active cyberattacks exploiting critical remote code execution vulnerabilities. What makes this campaign especially dangerous is not just the severity of the flaws, but the attackers’ disciplined, hands-on approach—blending legitimate administrative tools with stealthy persistence mechanisms. Security researchers now warn that unpatched WHD instances exposed to the internet represent an immediate and ongoing risk to enterprise networks worldwide.

Background: Active Attacks Confirmed in the Wild

Security firm Huntress confirmed on February 7, 2026, that it had observed real-world exploitation of SolarWinds Web Help Desk across multiple customer environments. These were not theoretical proofs of concept, but live intrusions where attackers successfully gained unauthenticated remote code execution. Microsoft independently reported observing similar attack patterns one day earlier, reinforcing concerns that this is a coordinated and scalable exploitation campaign rather than isolated incidents.

Summary of the Original Findings

The attacks target SolarWinds Web Help Desk installations running on Apache Tomcat that suffer from untrusted deserialization vulnerabilities, allowing attackers to execute arbitrary code without authentication. Versions earlier than WHD 12.8.7 HF1, also referred to as 2026.1, are confirmed vulnerable. One of the most severe flaws, CVE-2025-40551, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed abuse in active attacks and elevating patch urgency across federal and private sectors.

The observed intrusion chain begins when the WHD service spawns wrapper.exe, which in turn launches java.exe, followed by cmd.exe. From there, attackers retrieve a malicious MSI payload hosted on Catbox, deploying Zoho ManageEngine Remote Monitoring and Management software disguised as TOOLSIQ.EXE. This grants the attackers interactive remote access tied to accounts registered via Proton Mail, complicating attribution and takedown efforts.

Once inside, attackers conduct Active Directory reconnaissance using native commands such as net group “domain computers” /domain, allowing them to map the environment and identify lateral movement opportunities. They then deploy Velociraptor version 0.73.4, a legitimate digital forensics and incident response (DFIR) tool, downloaded from Supabase. Velociraptor is repurposed as a command-and-control (C2) framework, blending malicious intent with trusted tooling to evade detection.

To further harden their access, attackers install Cloudflared to establish outbound tunnels, effectively bypassing firewall restrictions. System data is collected using PowerShell’s Get-ComputerInfo command and exfiltrated to Elastic Cloud infrastructure hosted on Google Cloud Platform. Defender and Windows Firewall protections are deliberately weakened through registry modifications, reducing the likelihood of endpoint security interference.

The attackers also employ redundancy mechanisms. If their primary Velociraptor C2 channel via Cloudflare Workers fails—indicated by HTTP 406 responses—a failover script redirects traffic to an alternate endpoint hosted at v2-api.mooo.com. Persistence is reinforced through scheduled tasks masquerading as legitimate processes, including QEMU-based SSH backdoors using task names such as TPMProfiler.

Huntress reported monitoring 84 endpoints across 78 organizations actively running Web Help Desk, underscoring how widespread the exposure remains. The campaign demonstrates a growing trend of adversaries constructing custom SIEM-like environments using Elastic Stack to triage victims efficiently, while leaning heavily on legitimate enterprise tools to remain undetected for extended periods.

Vulnerabilities at the Center of the Campaign

SolarWinds Web Help Desk’s core issue lies in unsafe object deserialization within its Java-based architecture. These flaws allow external actors to send crafted data that the application blindly trusts, resulting in arbitrary code execution without credentials. The most notable vulnerabilities include multiple critical CVEs that together provide attackers with reliable, repeatable access paths into exposed systems.

Table: Confirmed Vulnerabilities Under Exploitation

CVE ID CVSS Score Description Current Status

CVE-2025-40551 Critical Untrusted deserialization leading to RCE Actively exploited, listed in CISA KEV

CVE-2025-26399 Critical Untrusted deserialization RCE Actively exploited

CVE-2025-40536 High Related deserialization vulnerability Patch required

Defensive Guidance Issued by Researchers

Security teams are strongly advised to upgrade SolarWinds Web Help Desk to version 2026.1 or later without delay. Administrative interfaces should never be publicly accessible and must be shielded behind VPNs or strict firewall rules. Organizations are urged to search for indicators of compromise, including suspicious Zoho MSI installers, known Velociraptor infrastructure, unexpected java.exe child processes, and unauthorized RMM software deployments. Credential resets, full endpoint scans, and network traffic reviews are considered mandatory response steps.

What Undercode Say:

This campaign reflects a clear evolution in attacker tradecraft, where exploitation is only the opening move rather than the end goal. SolarWinds Web Help Desk is not being targeted because it is obscure, but because it sits at a strategic junction—bridging IT operations, authentication systems, and privileged administrative workflows. Compromising a help desk platform effectively hands attackers a backstage pass to the enterprise.

What stands out is the attackers’ preference for legitimate tools over custom malware. Zoho Assist, Velociraptor, Cloudflared, and Elastic are all widely used by defenders themselves. By weaponizing trusted software, adversaries reduce behavioral anomalies that traditional endpoint detection systems rely on. This “living off the land” strategy is no longer subtle experimentation—it is now a default operational model for skilled threat actors.

The use of Elastic Cloud as a victim-triage platform is particularly telling. Rather than manually reviewing each compromised environment, attackers are building scalable, analyst-like pipelines to assess value, persistence, and lateral movement potential. This mirrors how professional security teams operate, blurring the line between offensive and defensive infrastructure.

The failover logic embedded in the Velociraptor C2 configuration also signals operational maturity. Automated switching between Cloudflare Workers and alternate domains suggests attackers anticipate disruption and have engineered resilience into their access channels. This is not opportunistic smash-and-grab exploitation; it is long-term access engineering.

From a defensive standpoint, the continued exposure of internet-facing management tools highlights a persistent organizational blind spot. Many environments still treat internal IT platforms as low-risk assets, despite their deep integration with identity systems and administrative privileges. As long as these assumptions persist, attackers will continue to exploit them.

Undercode believes this incident should be viewed as a warning shot. Help desk software, monitoring dashboards, and internal portals must now be treated with the same security rigor as VPNs and identity providers. The era where “internal tooling” equaled “low threat surface” is definitively over.

Fact Checker Results

✅ SolarWinds Web Help Desk RCE vulnerabilities are confirmed as actively exploited in the wild.
✅ CVE-2025-40551 is officially listed in CISA’s Known Exploited Vulnerabilities catalog.
❌ No evidence currently confirms attribution to a named threat group or nation-state.

Prediction

The exploitation of IT management platforms like SolarWinds WHD will accelerate as attackers prioritize high-leverage access points over traditional perimeter breaches 🔮.
Security vendors will increasingly see their legitimate tools abused as covert C2 frameworks, forcing changes in trust models and telemetry baselines ⚠️.
Organizations that delay patching internal-facing systems will face longer, stealthier intrusions rather than immediate ransomware-style disruption 🧩.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.reddit.com/r/AskReddit
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon