Listen to this Post
Introduction
In early February 2026, a quiet but deeply concerning cyber intrusion revealed how dangerous unpatched enterprise software can become when exploited at the right moment. Security researchers at Huntress uncovered an active attack campaign abusing critical vulnerabilities in SolarWinds Web Help Desk, a tool widely used by organizations to manage IT support operations. What began as a simple service exploitation quickly evolved into a sophisticated post-exploitation operation involving remote management tools, covert tunnels, and full domain reconnaissance. The incident highlights how threat actors are increasingly chaining legitimate software with newly disclosed vulnerabilities to gain stealthy, long-term control over corporate environments.
the Original Incident Report
On February 7, 2026, Huntress investigators identified real-world exploitation of multiple critical vulnerabilities affecting SolarWinds Web Help Desk. The attackers specifically targeted unpatched installations, abusing flaws that allowed arbitrary remote code execution through untrusted deserialization mechanisms. Among the exploited flaws were CVE-2025-40551, now officially listed in CISA’s Known Exploited Vulnerabilities catalog, and CVE-2025-26399, which had already drawn attention from Microsoft and other vendors due to observed in-the-wild abuse.
The intrusion originated directly from the Web Help Desk service itself. Once access was gained, the attackers immediately shifted into post-exploitation mode by silently installing a Zoho ManageEngine remote monitoring and management agent. This move allowed them to establish persistent, unattended remote access without raising immediate alarms. The Zoho Assist agent was configured to register the compromised system to an account associated with a Proton Mail address, strongly suggesting deliberate operational security practices.
With persistence established, the attackers transitioned to hands-on-keyboard activity. Leveraging the legitimate RMM process TOOLSIQ.EXE as their operational foothold, they executed standard Active Directory discovery commands to enumerate domain-joined systems. This reconnaissance phase focused on identifying lateral movement opportunities across the network.
The attackers then deployed Velociraptor, an open-source digital forensics and incident response framework often abused as a command-and-control platform. Velociraptor was configured to communicate via Cloudflare Workers and included a fallback communication channel, demonstrating planning for resilience if primary C2 paths were disrupted.
A custom PowerShell script was executed to collect detailed system telemetry, including operating system versions, hardware profiles, domain membership, and installed security updates. This information was exfiltrated to an attacker-controlled Elastic Cloud instance hosted on Google Cloud infrastructure, where it was visualized through Kibana dashboards. This setup allowed the attackers to centrally monitor and manage compromised hosts using trusted cloud services.
To evade detection and defensive response, the attackers disabled Windows Defender and the Windows Firewall. They further entrenched their access by deploying Cloudflared tunnels, creating hidden outbound connections that bypassed traditional network monitoring. For long-term persistence, malicious scheduled tasks were created, abusing QEMU components to maintain access even after system reboots. The activity confirmed that SolarWinds Web Help Desk vulnerabilities are no longer theoretical risks but actively weaponized entry points.
What Undercode Say:
This attack is a textbook example of modern intrusion tradecraft, where exploitation speed matters more than novelty. The vulnerabilities themselves were already known, discussed, and in some cases patched. The real danger came from delayed remediation and the attackers’ ability to operationalize these flaws faster than defenders could respond.
What stands out is the heavy reliance on legitimate software and infrastructure. Zoho ManageEngine, Cloudflare Workers, Google Cloud, Elastic Cloud, and even Velociraptor are not malicious by default. They are trusted tools, widely used by enterprises and security teams alike. By blending into this ecosystem, the attackers dramatically reduced their detection surface. Traditional security controls are far less likely to flag traffic flowing through reputable cloud providers or signed remote management tools.
The use of unattended Zoho Assist access is particularly alarming. It demonstrates how attackers increasingly prefer persistence methods that look like normal IT administration rather than classic malware. In environments where RMM tools are already part of daily operations, distinguishing attacker activity from legitimate support actions becomes extremely difficult.
Another critical insight is the attackers’ emphasis on visibility and telemetry. Exfiltrating system data into an Elastic and Kibana stack shows a shift toward professionalized intrusion management. This is not smash-and-grab hacking. It is infrastructure-backed, dashboard-driven operations that mirror how enterprises manage their own assets.
The disabling of Windows Defender and Firewall further confirms confidence and time advantage. These actions are risky but effective when attackers know detection is unlikely or delayed. Combined with Cloudflared tunnels, the attackers ensured outbound-only access paths that many networks still struggle to inspect.
Most importantly, this incident reinforces a hard truth. Vulnerability disclosure alone does not equal security. Until patches are applied, monitoring rules updated, and assumptions challenged, disclosed vulnerabilities remain open doors. SolarWinds Web Help Desk became the entry point, but the real breach occurred because trust in internal tools went unquestioned.
Fact Checker Results
✅ SolarWinds Web Help Desk vulnerabilities were actively exploited in the wild, confirmed by Huntress.
✅ CVE-2025-40551 is officially listed in CISA’s Known Exploited Vulnerabilities catalog.
❌ No evidence suggests zero-day exploitation; attackers relied on known but unpatched flaws.
Prediction
📊 Enterprise attackers will increasingly weaponize help desk and IT management platforms as primary entry points.
📊 Abuse of legitimate cloud services for command-and-control will continue to outpace traditional malware delivery.
📊 Organizations that treat internal tools as implicitly trusted assets will face rising risk without behavioral monitoring.
▶️ Related Video (74% Match):
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: securityaffairs.com
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
