- Hackers exploit SolarWinds Web Help Desk flaws CVE-2025-40551 and CVE-2025-26399
- Attackers deploy Zoho ManageEngine, Cloudflare tunnels, Velociraptor for persistence and control
- Campaign ongoing since January, disabling security tools before deploying additional malware
Why deploy malware and risk raising alarms, when you can simply install legitimate tools and abuse it for malicious purposes? This is what hackers recently did to at least three organizations, according to a new report from cybersecurity researchers Huntress.
As per the investigators, the SolarWinds Web Help Desk (WHD) platform contains two vulnerabilities. First one is an untrusted data deserialization vulnerability that can result in remote code execution (RCE). It is tracked as CVE-2025-40551 and was given a severity score of 9.8/10 (critical).
The second one is an unauthenticated AjaxProxy deserialization flaw, which also leads to RCE. This one is tracked as CVE-2025-26399, also with a 9.8/10 score.
Downloading VS Code
These two are apparently being leveraged by unidentified threat actors to gain access to target networks and deploy legitimate remote monitoring and management tools. Huntress mentioned the Zoho ManageEngine, but also Cloudflare tunnels and the Velociraptor cyber incident response tool.
The campaign started in mid-January and is most likely still ongoing:
“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control,” Huntress said.
The identities of the attackers and the victims are not known at this time, and we don’t know what the goal of the attacks was. Huntress did stress that the crooks used their access to disable any security programs running on target infrastructure, in preparation of deploying additional malware.
"Approximately a second after disabling Defender, the threat actor downloaded a fresh copy of the VS Code binary," the researchers said.
A SolarWinds spokesperson told TechRadar Pro, “We are aware of the reported issues and addressed them as part of the Web Help Desk 2026.1 release. Updates and patches are available, and we recommend customers apply them promptly. Based on our review, we have not observed widespread exploitation, and we are continuing to monitor the situation and partner with customers closely.”
In a separate report, Microsoft also stressed that it has observed SolarWinds Web Help Desk being abused in attacks, but it did not say which vulnerabilities were leveraged.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
