BleepingComputer reports that intrusions leveraging the critical SolarWinds Web Help Desk flaws, tracked as CVE-2025-40551 and CVE-2026-26399, to deliver legitimate tools for illicit activity have been launched as part of a campaign believed to have commenced in mid-January.At least three organizations have already been affected by the attacks, which involved abuse of the vulnerabilities for initial access that would then be followed by the installation of a maliciously configured Zoho ManageEngine Assist agent for Active Directory reconnaissance, according to an analysis from Huntress Security. Threat actors also tapped Zoho ManageEngine Assist to deploy a vulnerable iteration of the Velociraptor digital forensics and incident response tool, which was repurposed as a command-and-control framework.Aside from installing Cloudflared as a secondary tunnel-based access channel, attackers have also created a scheduled task that uses QEMU to launch an SSH backdoor for persistence, while deactivating Windows Defender and Firewall to ensure continued payload retrieval.
Vulnerability Management, Patch/Configuration Management
SolarWinds WHD vulnerabilities under attack

(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



