Hackers Target SolarWinds Vulnerability to Deploy Tools

Hackers Target SolarWinds Vulnerability to Deploy Tools

Posted on By CWS

SolarWinds Web Help Desk Under Attack

A critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk is being actively exploited by malicious actors. These attacks involve the deployment of legitimate yet misused administrative tools, significantly increasing the risk to organizations using the affected software.

Observations by Huntress indicate that 84 endpoints across 78 organizations are particularly vulnerable. This highlights the widespread risk associated with the SolarWinds Web Help Desk platform.

Attack Methods and Tools Used

The attack sequence begins with the exploitation of the SolarWinds Web Help Desk service, where a compromised service wrapper initiates a Java process. This process executes a series of commands to silently install a remote MSI payload, leveraging the Catbox file-hosting service.

This payload launches a Zoho ManageEngine RMM agent, a tool that, despite its legitimate use, offers persistent, unattended access for attackers. The agent connects to an attacker-controlled account, providing immediate control.

Timeline and Techniques of the Cyber Attack

Once the remote management tool is active, attackers engage in reconnaissance activities to map domain-joined systems. This is achieved through commands such as ‘net group “domain computers” /do’, a precursor to targeted lateral movements within the network.

In rapid succession, attackers deploy Velociraptor, an open-source Digital Forensics and Incident Response (DFIR) platform, via another silent MSI installation. Although intended for defense, Velociraptor is exploited to execute commands and maintain control over compromised endpoints.

Security Measures and Recommendations

The campaign highlights the urgency for organizations to update their SolarWinds Web Help Desk installations to version 2026.1 or later, addressing specific vulnerabilities including CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551.

Security protocols should include removing administrative interfaces from internet exposure, rotating credentials, and conducting thorough reviews for unauthorized tools and activities. Proactive measures are vital as exploitation efforts continue to escalate.

Stay informed on the latest cybersecurity developments by following our updates on Google News, LinkedIn, and X. For further information or to share your cybersecurity stories, contact us today.

Cyber Security News Tags:, , , , , , , , , , , , ,

Related Posts

Quantum Threats Preparing Your Encryption Strategy Quantum Threats Preparing Your Encryption Strategy Cyber Security News
Threat Actors Poisoning Google Search Results to Display The Scammer’s Phone Number Instead of Real Number Threat Actors Poisoning Google Search Results to Display The Scammer’s Phone Number Instead of Real Number Cyber Security News
Proxyware Malware Disguised as Notepad++ Tool Leverages Windows Explorer Process to Hijack Systems Proxyware Malware Disguised as Notepad++ Tool Leverages Windows Explorer Process to Hijack Systems Cyber Security News
Critical Microsoft .NET Vulnerability Demands Immediate Attention Critical Microsoft .NET Vulnerability Demands Immediate Attention Cyber Security News
Criminal IP Boosts IBM QRadar with Real-Time Threat Data Criminal IP Boosts IBM QRadar with Real-Time Threat Data Cyber Security News
Microsoft Announces New Security Defaults for Windows 365 Cloud PCs Microsoft Announces New Security Defaults for Windows 365 Cloud PCs Cyber Security News