Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
Essential information
- Published
- 09/02/2026 06:01
- Modified
- 09/02/2026 11:43
- Tags
- 2026-02-09 CVE-2025-26399 CVE-2025-40536 CVE-2025-40551 cloudflare elastic cloud solarwinds velociraptor web help desk
- Related entities
- 3 vulnerabilities (cve), 5 observables, 16 techniques (mitre), 1 others
Description
Threat actors are actively exploiting a vulnerability in SolarWinds Web Help Desk, targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, Velociraptor for command and control, and Cloudflare tunnels for persistence. Attackers use encoded PowerShell commands, disable Windows Defender and Firewall, and implement a C2 failover mechanism. They also utilize Elastic Cloud for data exfiltration and QEMU for SSH backdoor persistence. The earliest known instance of this persistence mechanism was observed on January 16, 2026. Organizations are advised to update their SolarWinds Web Help Desk, restrict administrative interface access, reset credentials, and review hosts for unauthorized tools and suspicious activities.