Vulnerability Management, Patch/Configuration Management

SolarWinds WHD vulnerabilities under attack

(Adobe Stock)

BleepingComputer reports that intrusions leveraging the critical SolarWinds Web Help Desk flaws, tracked as CVE-2025-40551 and CVE-2026-26399, to deliver legitimate tools for illicit activity have been launched as part of a campaign believed to have commenced in mid-January.

At least three organizations have already been affected by the attacks, which involved abuse of the vulnerabilities for initial access that would then be followed by the installation of a maliciously configured Zoho ManageEngine Assist agent for Active Directory reconnaissance, according to an analysis from Huntress Security. Threat actors also tapped Zoho ManageEngine Assist to deploy a vulnerable iteration of the Velociraptor digital forensics and incident response tool, which was repurposed as a command-and-control framework.

Aside from installing Cloudflared as a secondary tunnel-based access channel, attackers have also created a scheduled task that uses QEMU to launch an SSH backdoor for persistence, while deactivating Windows Defender and Firewall to ensure continued payload retrieval.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds