{"id":6967,"date":"2026-02-10T15:58:43","date_gmt":"2026-02-10T15:58:43","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=6967"},"modified":"2026-02-10T15:58:43","modified_gmt":"2026-02-10T15:58:43","slug":"solarwinds-whd-zero-days-from-january-are-under-attack","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=6967","title":{"rendered":"SolarWinds WHD zero-days from January are under attack"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found.<\/p>\n<p>Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer systems first uncovered in December.<\/p>\n<p>On January 28, SolarWinds <a href=\"https:\/\/www.csoonline.com\/article\/4124030\/solarwinds-again-critical-rce-bugs-reopen-old-wounds-for-enterprise-security-teams.html\">published an advisory<\/a> that mentioned six CVEs rated either \u2018critical\u2019 or \u2018high.\u2019 These included two zero-days with a CVSS score of 9.8: <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-40551\" target=\"_blank\" rel=\"noopener\">CVE-2025-40551<\/a>, a deserialization flaw allowing remote code execution (RCE), and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-40536\" target=\"_blank\" rel=\"noopener\">CVE-2025-40536<\/a>, an authentication bypass.<\/p>\n<p>Even the Microsoft Defender Research Team, which detected WHD attacks on its customers before Christmas, was unsure exactly which combination had let attackers in: \u201cSince the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,\u201d <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2026\/02\/06\/active-exploitation-solarwinds-web-help-desk\/\" target=\"_blank\" rel=\"noopener\">Microsoft researchers wrote<\/a> on February 6.<\/p>\n<p>However, in recent days <a href=\"https:\/\/www.huntress.com\/blog\/active-exploitation-solarwinds-web-help-desk-cve-2025-26399\" target=\"_blank\" rel=\"noopener\">Huntress confirmed<\/a> what was always the most likely explanation: Attackers had targeted three of its customers by chaining both of the above flaws in combination with an older RCE deserialization vulnerability, the critical-rated <a href=\"https:\/\/www.csoonline.com\/article\/3567911\/critical-solarwinds-flaw-finds-exploitations-in-the-wild-despite-available-fixes.html\">CVE-2025-26399, made public last September<\/a>.<\/p>\n<p>Once the systems were compromised, the attacks detected by Huntress used a mixture of techniques to burrow deeper while hiding themselves, including deploying the open-source Velociraptor forensic tool as a C2 connection backed by an encrypted Cloudflared outbound tunnel.<\/p>\n<p>Principal Security Researcher John Hammond said the earliest indicator Huntress had seen for SolarWinds Web Help Desk exploitation was on January 16, 2026, although there was evidence of threat actors leveraging Velociraptor for abuse since September of 2025.<\/p>\n<p>\u201cWe believe that the actor behind this is Storm-2603, since indicators are very similar to what we saw in prior incidents which were confirmed as tied to Storm-2603. Normally these types of incidents would have led to Warlock ransomware, but in this case, it seems as if the attackers were still in reconnaissance mode since their main objectives appeared to be to collect system information from as many victims as possible,\u201d he said via email. \u201cOut of three confirmed cases that we saw, two installed the agent sometime after the attack was initiated so there were mostly just remnants of indicators from prior activities. The third machine was stopped mid-attack, so the attacker didn\u2019t get a chance to do much on that machine.\u201d<\/p>\n<h2 class=\"wp-block-heading\">Urgent patching<\/h2>\n<p>Given that SolarWinds estimates that its WHD service management and ticketing platform is used by 300,000 customers, it\u2019s not surprising that cybercriminals would take any opportunity to target it.<\/p>\n<p>WHD is built as a Java-based application that runs inside Apache Tomcat. Deserialization vulnerabilities are especially dangerous in this context because they allow an attacker to send a malicious serialized Java object in a request, which WHD automatically deserializes without authentication. At that point, the attackers can achieve remote code execution.<\/p>\n<p>\u201cAll previous versions of SolarWinds Web Help Desk prior to 12.8.7 HF1 are vulnerable to these vulnerabilities,\u201d said Huntress.<\/p>\n<p>That\u2019s the simple takeaway: patch the SolarWinds WHD application as a matter of urgency. This includes customers who didn\u2019t patch September 2025\u2019s CVE-2025-26399, also used as part of the recent attacks.<\/p>\n<p>That requires upgrading to WHD 2026.1 whilst paying attention to the caveats set out by SolarWinds in its <a href=\"https:\/\/documentation.solarwinds.com\/en\/success_center\/whd\/content\/release_notes\/whd_2026-1_release_notes.htm#link6\" target=\"_blank\" rel=\"noopener\">release notes<\/a>. Any instances of Velociraptor, Cloudflared, or Zoho Assist (also utilized in campaigns) should be considered suspicious, as well as \u2018silent\u2019 MSI installations spawned by WHD.<\/p>\n<p>Huntress also recommends placing WHD behind a VPN or firewall and resetting all service or admin account passwords, as well as any credentials stored within WHD itself.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found. Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":6953,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6967","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6967"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6967"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/6967\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/6953"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}