- Hackers Exploit SolarWinds Web Help Desk Flaws CVE-2025-40551 and CVE-2025-26399
- Attackers deploy Zoho ManageEngine, Cloudflare tunnels, and Velociraptor for persistence and control
- Campaign ongoing since January, disabling security tools before deploying additional malware
Why deploy malware and risk raising alarms, when you can simply install legitimate tools and abuse them for malicious purposes? This is what hackers recently did to at least three organizations, according to a new report from cybersecurity researchers Huntress.
According to researchers, the SolarWinds Web Help Desk (WHD) platform contains two vulnerabilities. The first is an untrusted data deserialization vulnerability that can result in remote code execution (RCE). It is tracked as CVE-2025-40551 and was assigned a severity score of 9.8/10 (critical).
The second is an unauthenticated AjaxProxy deserialization failure, which also leads to RCE. This is tracked as CVE-2025-26399, also with a score of 9.8/10.
Downloading VS code
These two are apparently being exploited by unidentified threat actors to gain access to target networks and deploy legitimate remote monitoring and management tools. Huntress mentioned Zoho ManageEngine, but also Cloudflare tunnels and cyber incident response tool Velociraptor.
The campaign started in mid-January and is probably still ongoing:
“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a SolarWinds Web Help Desk exploit case, in which the threat actor quickly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor as a means of command and control,” Huntress said.
The identities of the attackers and victims are unknown at this time, and we do not know what the target of the attacks was. Huntress emphasized that the criminals used their access to disable any security programs running on the targeted infrastructure, in preparation for deploying additional malware.
“Approximately one second after disabling Defender, the threat actor downloaded a fresh copy of the VS Code binary,” the researchers said.
In a separate report, Microsoft also emphasized that it has observed SolarWinds Web Help Desk being abused in attacks, but did not say which vulnerabilities were exploited.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
