- Hackers exploit SolarWinds Web Help Desk vulnerabilities CVE-2025-40551 and CVE-2025-26399
- Attackers deploy Zoho ManageEngine, Cloudflare and Velociraptor tunnels for persistence and control
- Campaign underway since January, disabling security tools before deploying additional malware
Why deploy malware and risk raising alarms, when you can simply install legitimate tools and abuse them for malicious purposes? That’s what hackers recently did to at least three organizations, according to a new report from cybersecurity researchers Huntress.
According to investigators, the SolarWinds Web Help Desk (WHD) platform contains two vulnerabilities. The first is an untrusted data deserialization vulnerability that can lead to remote code execution (RCE). It is tracked as CVE-2025-40551 and received a severity score of 9.8/10 (critical).
The second is an unauthenticated AjaxProxy deserialization flaw, which also leads to RCE. This one is tracked as CVE-2025-26399, also with a score of 9.8/10.
Downloading VS code
Both of these are apparently being exploited by unidentified threat actors to gain access to target networks and deploy legitimate remote monitoring and management tools. Huntress mentioned Zoho ManageEngine, but also Cloudflare tunnels and the Velociraptor cyber incident response tool.
The campaign started in mid-January and is probably still ongoing:
“On February 7, 2026, Huntress SOC Analyst Dipo Rodipe investigated an exploitation case of the SolarWinds Web Help Desk, in which the threat actor quickly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for command and control assets,” Huntress said.
The identities of the attackers and victims are not known at this time, and it is unclear what the purpose of the attacks was. Huntress pointed out that the crooks used their access to disable all security programs running on the target infrastructure, in preparation for deploying additional malware.
“About a second after disabling Defender, the threat actor downloaded a new copy of the VS Code binary,” the researchers said.
In a separate report, Microsoft also noted that it observed abusive attacks against SolarWinds Web Help Desk, but it did not specify which vulnerabilities were exploited.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
