216.73.216.233

Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)

· Published 09/02/2026 06:01 · Modified 09/02/2026 11:43

Export JSON

Essential information

Published
09/02/2026 06:01
Modified
09/02/2026 11:43
Tags
2026-02-09 CVE-2025-26399 CVE-2025-40536 CVE-2025-40551 cloudflare elastic cloud solarwinds velociraptor web help desk
Related entities
3 vulnerabilities (cve), 5 observables, 16 techniques (mitre), 1 others

Description

Threat actors are actively exploiting a vulnerability in , targeting organizations using versions prior to 12.8.7 HF1. The attack chain involves deploying Zoho ManageEngine RMM agents, for command and control, and tunnels for persistence. Attackers use encoded PowerShell commands, disable Windows Defender and Firewall, and implement a C2 failover mechanism. They also utilize for data exfiltration and QEMU for SSH backdoor persistence. The earliest known instance of this persistence mechanism was observed on January 16, 2026. Organizations are advised to update their , restrict administrative interface access, reset credentials, and review hosts for unauthorized tools and suspicious activities.

External references