SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found.
Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer systems first uncovered in December.
On January 28, SolarWinds published an advisory that mentioned six CVEs rated either ‘critical’ or ‘high.’ These included two zero-days with a CVSS score of 9.8: CVE-2025-40551, a deserialization flaw allowing remote code execution (RCE), and CVE-2025-40536, an authentication bypass.
Even the Microsoft Defender Research Team, which detected WHD attacks on its customers before Christmas, was unsure exactly which combination had let attackers in: “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” Microsoft researchers wrote on February 6.
However, in recent days Huntress confirmed what was always the most likely explanation: Attackers had targeted three of its customers by chaining both of the above flaws in combination with an older RCE deserialization vulnerability, the critical-rated CVE-2025-26399, made public last September.
Once the systems were compromised, the attacks detected by Huntress used a mixture of techniques to burrow deeper while hiding themselves, including deploying the open-source Velociraptor forensic tool as a C2 connection backed by an encrypted Cloudflared outbound tunnel.
Principal Security Researcher John Hammond said the earliest indicator Huntress had seen for SolarWinds Web Help Desk exploitation was on January 16, 2026, although there was evidence of threat actors leveraging Velociraptor for abuse since September of 2025.
“We believe that the actor behind this is Storm-2603, since indicators are very similar to what we saw in prior incidents which were confirmed as tied to Storm-2603. Normally these types of incidents would have led to Warlock ransomware, but in this case, it seems as if the attackers were still in reconnaissance mode since their main objectives appeared to be to collect system information from as many victims as possible,” he said via email. “Out of three confirmed cases that we saw, two installed the agent sometime after the attack was initiated so there were mostly just remnants of indicators from prior activities. The third machine was stopped mid-attack, so the attacker didn’t get a chance to do much on that machine.”
Urgent patching
Given that SolarWinds estimates that its WHD service management and ticketing platform is used by 300,000 customers, it’s not surprising that cybercriminals would take any opportunity to target it.
WHD is built as a Java-based application that runs inside Apache Tomcat. Deserialization vulnerabilities are especially dangerous in this context because they allow an attacker to send a malicious serialized Java object in a request, which WHD automatically deserializes without authentication. At that point, the attackers can achieve remote code execution.
“All previous versions of SolarWinds Web Help Desk prior to 12.8.7 HF1 are vulnerable to these vulnerabilities,” said Huntress.
That’s the simple takeaway: patch the SolarWinds WHD application as a matter of urgency. This includes customers who didn’t patch September 2025’s CVE-2025-26399, also used as part of the recent attacks.
That requires upgrading to WHD 2026.1 whilst paying attention to the caveats set out by SolarWinds in its release notes. Any instances of Velociraptor, Cloudflared, or Zoho Assist (also utilized in campaigns) should be considered suspicious, as well as ‘silent’ MSI installations spawned by WHD.
Huntress also recommends placing WHD behind a VPN or firewall and resetting all service or admin account passwords, as well as any credentials stored within WHD itself.
No Responses