Ethical Hacking News
A recent attack has been confirmed by Huntress, using vulnerabilities in SolarWinds Web Help Desk (WHD) software to gain persistent remote access and control systems. The attackers exploited unpatched versions of WHD to run code remotely, then installed Zoho ManageEngine tools for persistence and Velociraptor for control. This attack highlights the importance of keeping SolarWinds WHD up to date with the latest patches, as well as implementing robust security measures to prevent similar breaches in the future.
The SolarWinds Web Help Desk (WHD) software has been exploited by attackers for persistent remote access and control systems.Attackers used unpatched versions of WHD to run code remotely, install Zoho ManageEngine tools, and establish a foothold on compromised systems.The attack allowed malicious activities such as domain reconnaissance, PowerShell script execution, and deployment of Velociraptor as a command-and-control tool.Attackers used Cloudflare tunnels for hidden remote access, disabled Windows Defender and the Windows Firewall, and created malicious scheduled tasks to maintain persistence.Organizations using SolarWinds WHD are advised to update to version 2026.1 or later, restrict administrative interfaces, reset passwords, and regularly review systems for unauthorized access tools.
In a recent development that has sent shockwaves throughout the cybersecurity community, researchers at Huntress have confirmed that attackers are exploiting vulnerabilities in the SolarWinds Web Help Desk (WHD) software to gain persistent remote access and control systems. This attack, which was first reported by Huntress on February 7, 2026, marks a significant escalation in the use of WHD flaws for malicious purposes.
According to the report published by Huntress, the attackers exploited unpatched versions of WHD to run code remotely, then quickly installed Zoho ManageEngine tools for persistent remote access and Cloudflare tunnels. This allowed them to establish a foothold on compromised systems and execute a range of malicious activities, including domain reconnaissance, PowerShell script execution, and the deployment of Velociraptor as a command-and-control tool.
The attack began from the WHD service, which silently installed a Zoho Assist agent to gain persistent remote access. This agent was configured for unattended access, registering the compromised host to a Zoho Assist account tied to a Proton Mail address. The attackers then used this foothold to execute domain reconnaissance commands and deploy Velociraptor as a command-and-control tool.
Velociraptor, which is a popular malware framework, was configured to communicate through Cloudflare Workers and included a failover C2 mechanism. This allowed the attackers to maintain communication with their command and control servers even if one of the C2 channels failed.
To avoid detection, the attackers disabled Windows Defender and the Windows Firewall on compromised systems. They then installed Cloudflared tunnels to maintain hidden remote access and used PowerShell to execute additional commands and manage the system. To ensure long-term persistence, they also created malicious scheduled tasks that abused QEMU to keep access even after reboots.
The Huntress report highlights the importance of keeping SolarWinds WHD up to date with the latest patches, as well as implementing robust security measures such as restricting administrative interfaces and resetting passwords for service accounts. It also emphasizes the need for organizations to regularly review their systems for unauthorized remote access tools and other signs of malicious activity.
In light of this recent attack, it is essential for organizations that use SolarWinds Web Help Desk to take immediate action to mitigate the risks associated with these vulnerabilities. This includes updating WHD to version 2026.1 or later, which addresses the critical flaws disclosed by CISA. Additionally, organizations should restrict administrative interfaces and remove direct internet access to admin paths, reset passwords for all service accounts, administrator accounts, and any credentials accessible through or stored within the WHD application.
The SolarWinds Web Help Desk vulnerability serves as a stark reminder of the importance of maintaining robust cybersecurity defenses in today's complex threat landscape. As attackers continue to exploit vulnerabilities like this one, it is crucial that organizations stay vigilant and take proactive steps to protect themselves against these emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-SolarWinds-Web-Help-Desk-Vulnerability-A-Comprehensive-Analysis-of-the-Recently-Disclosed-Flaws-ehn.shtml
https://securityaffairs.com/187761/security/attackers-abuse-solarwinds-web-help-desk-to-install-zoho-agents-and-velociraptor.html
https://cyberpress.org/exploiting-solarwinds-web-help-desk/
Published: Mon Feb 9 07:26:10 2026 by llama3.2 3B Q4_K_M
