From Help Desk to Hacker Playground: How SolarWinds WHD Vulnerabilities Are Being Exploited in the Wild

Threat actors are actively exploiting SolarWinds Web Help Desk flaws to breach networks and deploy stealthy tools like Velociraptor for persistent access. By abusing legitimate admin software, attackers are bypassing defenses and turning help desk servers into covert backdoors.

In early 2026, threat actors began actively targeting SolarWinds Web Help Desk (WHD) installations to gain unauthorized access and establish persistent footholds in corporate environments. Rather than relying on generic malware, attackers are leveraging legitimate software and remote administration tools — efficiently evading traditional defenses and blending into normal enterprise behavior. 

This blog explores: 

• What SolarWinds WHD is and why it matters 

• The vulnerabilities being exploited 

• How attackers are abusing them in real campaigns 

• The tools deployed after compromise 

• Why this attack pattern is especially dangerous 

• What organizations need to do now 

By the end, you’ll not only understand the threat but also know how to protect your infrastructure. 

What Is SolarWinds Web Help Desk? 

SolarWinds Web Help Desk (WHD) is a widely used IT help desk and asset management platform that enables IT teams to track tickets, manage assets, and handle service requests. Like many enterprise tools, WHD is often connected directly to internal assets and sometimes exposed to the internet to support remote teams. 

Its popularity makes it a high-value target — and recent events show that attackers are keenly aware of this. 

The Critical Flaws Under Attack 

In late 2025, multiple critical vulnerabilities in SolarWinds WHD were disclosed that allow remote code execution (RCE) without authentication. Two of the most serious were: 

CVE-2025-40551 

• A critical untrusted deserialization vulnerability 

• Enables attackers to execute arbitrary code on the server 

• Can be exploited without valid credentials 

CVE-2025-26399 

• Another deserialization-based RCE 

• Also allows unauthenticated attackers to interact with the system in highly privileged ways 

Both were confirmed to be exploited in the wild as soon as exploit code became available. Organizations that hadn’t yet patched found themselves under active attack almost immediately after the vulnerabilities were publicized. Because of this, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) Catalog — a list of vulnerabilities actively abused by attackers. 

Initial Access: How Attackers Get In 

Let’s break down the attacker’s initial move: 

1. Scan for Exposed WHD Instances 
   Many WHD deployments are reachable from the internet because help desk portals are often exposed to support remote access. 

2. Exploit RCE Vulnerabilities 
   Using the untrusted deserialization bugs, attackers can run code on the WHD server without any authentication. This gives them a foothold inside the network. 

3. Deploy Second-Stage Tools 
   Once on the server, attackers rarely stop at simple code execution. Instead, they deploy tools that let them maintain access, move laterally, and gather data. 

This kind of attack chain — starting with unauthenticated RCE — is especially dangerous because the entry point is the application itself, not a misconfigured server or weak credentials. 

 Dual-Use Tool Abuse: Blending In With Legitimate Software 

One of the most troubling aspects of this campaign is what happens after initial access. Instead of deploying typical malware, the attackers have been observed installing legitimate remote administration and incident response tools, and then abusing them for malicious purposes. This technique — using trusted software for untrusted activity — helps attackers evade traditional detection. 

Two notable tools found on compromised servers are: 

Zoho ManageEngine Assist 

• A legitimate remote support tool 

• Used by IT teams to access endpoints for troubleshooting 

• Installed by attackers via MSI package 

• Configured for unattended access 

• Makes it simple for attackers to connect and control the server remotely 

Because Zoho Assist is a legitimate tool, many endpoint detection systems don’t flag its presence as suspicious. In these cases, attackers abuse trusted functionality to gain remote desktop access to WHD servers. 

Velociraptor 

• An open-source digital forensics and incident response (DFIR) tool 

• Designed for system monitoring, investigations, and threat hunting 

• In the hands of attackers, it becomes a command-and-control (C2) platform 

• Provides encrypted remote command execution, file access, and scripting capabilities 

Velociraptor inbound connections were installed and controlled by the attackers to maintain persistence and run commands on compromised systems. Unusually, many deployments used Velociraptor v0.73.4, a version known to contain a privilege escalation flaw that attackers could abuse to elevate permissions further. 

This tactic — installing legitimate tools and using them for malicious operations — is part of a broader trend known as living off the land. It reduces the likelihood of detection because defenders may assume legitimate software isn’t harmful. 

Backdoors, Persistence, and Network Tunnels 

Once attackers establish a foothold, they don’t just run tools — they reinforce their hold with persistence mechanisms and fallback access paths. Observations from incident responders include: 

Scheduled Tasks & Backdoors 

Attackers created scheduled tasks that re-establish access or run additional commands at set intervals — a classic persistence mechanism. 

Cloudflared Tunnels 

Some compromised systems had Cloudflare tunnels installed, enabling persistent remote access through Cloudflare’s infrastructure. Because traffic looks like normal encrypted web traffic, this technique helps attackers evade network monitoring and firewall rules. 

Disabling Defender & Firewalls 

To reduce obstacles, attackers modified registry settings to turn off Windows Defender and firewall safeguards — ensuring that subsequent actions are less likely to be stopped by built-in protections. 

These persistence and remote access measures underline the fact that attackers are not just probing — they’re settling in. 

Why This Attack Pattern Is Particularly Dangerous 

This campaign stands out for several reasons: 

Exploited Without Authentication 

Both CVE-2025-40551 and CVE-2025-26399 allowed attackers to run code without any need for valid credentials. This dramatically lowers the bar for exploitation. 

Use of Legitimate Tools 

Instead of deploying easily flagged malware, attackers use legitimate remote support and DFIR tools. This dual-use abuse makes detection significantly harder. 

Tunnels Hide Traffic 

Cloudflared and similar tunneling mechanisms make malicious connections look like normal web traffic — often bypassing firewalls and IDS/IPS systems. 

Focus on Persistence 

Rather than hitting and running, attackers established persistent access with multiple fallback options. 

These characteristics make this campaign similar to advanced persistent threats (APTs) — groups that aim to maintain long-term access for espionage or destructive operations. 

 Real-World Impact: What Happens When a WHD Server Is Compromised 

If your SolarWinds WHD instance is compromised, the attacker can: 

• Harvest credentials and sensitive internal data 

• Pivot to other internal systems or servers 

• Install backdoors and remote access tools 

• Create lateral movement paths 

• Maintain long-term persistence 

• Evade detection by blending with legitimate software 

In addition, WHD often has privileged access to asset and inventory information, which means attackers could map internal resources and identify high-value targets once inside. 

 What Organizations Should Do Now 

Given that these vulnerabilities are actively exploited, defenders must move quickly. Here’s a prioritized action plan: 

1. Patch Immediately 

Ensure SolarWinds WHD is upgraded to the latest version that fixes CVE-2025-40551 and CVE-2025-26399. Patch deployment should be treated as urgent given known exploitation. 

2. Restrict Internet Exposure 

Web Help Desk should never be directly exposed to the internet unless absolutely necessary. Place it behind a VPN or other secure gateway, and restrict access to known IPs. 

3. Audit Credentials 

Reset passwords for all users associated with the WHD instance. When possible, require multifactor authentication (MFA) for administrative logins. 

4. Review Installed Software 

Look for unauthorized installations of: 

• Zoho ManageEngine Assist 

• Velociraptor or similar DFIR tools 

• Cloudflared or any reverse tunneling service 

• Other remote access utilities 

If found, treat the system as compromised and isolate it. 

5. Monitor for Indicators of Compromise (IOCs) 

Security researchers have shared Sigma rules and detection indicators related to: 

• MSI installation artifacts 

• Powershell encoded payloads 

• Cloudflared connections 

• New scheduled tasks 

• Odd processes running under SYSTEM 

Implement these detection rules in your SIEM or endpoint detection platforms. 

6. Isolate and Investigate 

If you suspect compromise: 

1. Take the WHD server offline immediately 

2. Perform a forensic investigation 

3. Scan for lateral movement and other footholds 

4. Rebuild the server rather than relying on patching in place 

7. Segment Your Network 

Ensure that the WHD server cannot directly communicate with sensitive internal assets. Use network segmentation to limit blast radius if a breach occurs. 

Lessons Learned: What This Attack Tells Us 

This campaign highlights several broader trends in cybersecurity: 

Legacy and Third-Party Software Is Often Under-Protected 

Applications like SolarWinds Web Help Desk are business-critical but often overlooked in patch cadences and vulnerability scanning. 

Attackers Exploit Trust 

By using legitimate tools like Zoho Assist and DFIR tooling, attackers exploit trust — making detection based on signatures or heuristics fail. 

Network Monitoring Alone Isn’t Enough 

With tunneling tools and legitimate remote software, traditional network monitoring can miss covert command channels. 

Final Thoughts: Act Now, Don’t Wait 

The active exploitation of SolarWinds WHD vulnerabilities is more than a patching exercise — it’s a reminder that: 

• Security is proactive, not reactive 

• Legitimate tools can be weaponized 

• Exposure to the internet multiplies risk 

• Quick detection and response save organizations from deeper compromise 

If you manage or rely on SolarWinds WHD, update it now, audit access and remote tools, and implement the security measures above. Waiting for a breach to show you the gaps is far more costly than closing them preemptively.