Hackers are actively exploiting two serious vulnerabilities in SolarWinds Web Help Desk (WHD), a popular IT service management platform. The attacks allow threat actors to gain access to target networks and deploy legitimate remote monitoring and management tools for malicious purposes.
- Critical vulnerabilities have been identified in the SolarWinds Web Help Desk (WHD) product.
- These security flaws, including CVE-2025-40551 and CVE-2025-26399, are currently being exploited by threat actors.
- Successful exploitation can lead to remote code execution (RCE), compromising critical servers and organizational credentials.
- Detected attacks are multi-stage, often involving tools such as Cloudflare tunnels, Velociraptor, and Zoho ManageEngine.
- Organizations using SolarWinds WHD are at high risk of being targeted by these exploits.
- Threat actors are leveraging these vulnerabilities to gain unauthorized access and control over vulnerable systems.
Q: What is SolarWinds Web Help Desk (WHD)?
A: SolarWinds Web Help Desk is software designed to help organizations manage IT support services, incident tickets, assets, and automation processes within their environments.
More informative articles can be read through Mureks. mureks.co.id
Q: What are the main risks of these exploited vulnerabilities?
A: The primary risk is that threat actors can exploit these flaws to gain full control over servers running WHD, steal sensitive credentials, and potentially infiltrate an organization’s network further.
Q: What should organizations using SolarWinds WHD do?
A: Organizations are strongly advised to immediately review their systems, apply any security updates or patches released by SolarWinds, and increase monitoring for suspicious activity within their WHD environments.
According to recent reports from cybersecurity researchers at Huntress, this attack campaign has been ongoing since mid-January 2026 and is likely still active. Hackers are exploiting two critical vulnerabilities, each with a severity score of 9.8 out of 10.
Two Critical Vulnerabilities Serve as Entry Points
The first vulnerability, tracked as CVE-2025-40551, is an untrusted data deserialization flaw that can result in remote code execution (RCE). The second vulnerability, CVE-2025-26399, is an unauthenticated AjaxProxy deserialization flaw, likewise leading to RCE.
The Mureks editorial team notes that attackers aren’t immediately deploying suspicious malware, but are instead utilizing legitimate tools like Zoho ManageEngine, Cloudflare tunnels, and the Velociraptor cyber incident response tool. This approach aims to establish persistence and control over compromised systems without initially raising alarms.
“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a SolarWinds Web Help Desk exploitation where the threat actor quickly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor as a means of command and control,” Huntress stated.
Before deploying additional malware, threat actors are known to disable security programs running on target infrastructure. This clears the way for further malicious software installation.
“Roughly a second after disabling Defender, the threat actor downloaded a fresh copy of the VS Code binary,” the researchers added.
Microsoft has also observed abuse of SolarWinds Web Help Desk in attacks, though it hasn’t detailed the specific vulnerabilities exploited. As of now, the identities of the attackers and victims, as well as the ultimate goal of the attacks, remain unknown.
This incident serves as a crucial reminder for organizations to promptly patch vulnerabilities in their systems and heighten vigilance against suspicious activity on their networks. The increasing sophistication of these attacks underscores the need for proactive cybersecurity measures in today’s threat landscape.
