Unidentified threat actors actively exploit two critical vulnerabilities in SolarWinds Web Help Desk (WHD) to infiltrate networks, deploy legitimate remote management tools, and establish persistence.
Critical Vulnerabilities Enable Remote Code Execution
The flaws, tracked as CVE-2025-40551 and CVE-2025-26399, both carry a severity score of 9.8/10. CVE-2025-40551 stems from untrusted data deserialization, while CVE-2025-26399 arises from an unauthenticated AjaxProxy deserialization issue. Both allow remote code execution (RCE), granting attackers full control over affected servers.
Stealthy Deployment of Legitimate Tools
Attackers bypass traditional malware by installing trusted software for malicious ends. They deploy Zoho ManageEngine and Zoho Meetings for remote access, Cloudflare tunnels for covert communication, and Velociraptor for command-and-control operations. This approach minimizes detection risks compared to custom payloads.
Prior to tool deployment, intruders disable security software such as Microsoft Defender. Analysis reveals that approximately one second after disabling Defender, attackers download a fresh copy of the VS Code binary, likely for further payload execution or evasion.
Campaign Timeline and Observations
The attacks began in mid-January 2026 and continue as of February 7, 2026. On that date, SOC analyst Dipo Rodipe examined an exploitation incident where threat actors swiftly implemented Zoho Meetings, Cloudflare tunnels for persistence, and Velociraptor for control.
Microsoft has also detected abuse of SolarWinds Web Help Desk in similar incidents. Victim identities, attacker motives, and full campaign scope remain undisclosed, though researchers emphasize the disabling of defenses to pave the way for additional malware.
