- Hackers Exploit SolarWinds Web Help Desk Vulnerabilities CVE-2025-40551 and CVE-2025-26399
- Attackers deploy Zoho ManageEngine, Cloudflare tunnels, Velociraptor for persistence and control
- Campaign running since January, disables security tools before deploying additional malware
Why deploy malware and risk triggering alerts when you can simply install legitimate tools and abuse it for malicious purposes? This is what hackers recently did to at least three organizations, according to a new report from cybersecurity researchers Huntress.
According to the investigators, the SolarWinds Web Help Desk (WHD) platform contains two vulnerabilities. The first is an unreliable data serialization vulnerability that could result in remote code execution (RCE). It is tracked as CVE-2025-40551 and given a severity rating of 9.8/10 (Critical).
The second is an unauthorized AjaxProxy deserialization error which also leads to RCE. This is tracked as CVE-2025-26399, also with a score of 9.8/10.
Download VS Code
These two are apparently being exploited by unidentified threat actors to gain access to target networks and deploy legitimate remote monitoring and management tools. Huntress mentioned Zoho ManageEngine, but also Cloudflare tunnels and the Velociraptor cyber incident response tool.
The campaign started in mid-January and is most likely still running:
“On February 7, 2026, Huntress SOC Analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation where the threat actor quickly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for command and control means,” Huntress said.
The identities of the attackers and victims are not known at this time, and we do not know what the goal of the attacks was. Huntress emphasized that the crooks used their access to disable security programs running on target infrastructure in preparation for deploying additional malware.
“Approximately one second after disabling Defender, the threat actor downloaded a new copy of the VS Code binary,” the researchers said.
In a separate report, Microsoft also emphasized that it has observed SolarWind’s Web Help Desk being misused in attacks, but it did not say which vulnerabilities were exploited.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
