SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found.
Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer systems first uncovered in December.
On January 28, SolarWinds published an advisory that mentioned six CVEs rated either ‘critical’ or ‘high.’ These included two zero-days with a CVSS score of 9.8: CVE-2025-40551, a deserialization flaw allowing remote code execution (RCE), and CVE-2025-40536, an authentication bypass.
Even the Microsoft Defender Research Team, which detected WHD attacks on its customers before Christmas, was unsure exactly which combination had let attackers in: “Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,” Microsoft researchers wrote on February 6.
However, in recent days Huntress confirmed what was always the most likely explanation: Attackers had targeted three of its customers by chaining both of the above flaws in combination with an older RCE deserialization vulnerability, the critical-rated CVE-2025-26399, made public last September.
Once the systems were compromised, the attacks detected by Huntress used a mixture of techniques to burrow deeper while hiding themselves, including deploying the open-source Velociraptor forensic tool as a C2 connection backed by an encrypted Cloudflared outbound tunnel.
Urgent patching
Given that SolarWinds estimates that its WHD service management and ticketing platform is used by 300,000 customers, it’s not surprising that cybercriminals would take any opportunity to target it.
WHD is built as a Java-based application that runs inside Apache Tomcat. Deserialization vulnerabilities are especially dangerous in this context because they allow an attacker to send a malicious serialized Java object in a request, which WHD automatically deserializes without authentication. At that point, the attackers can achieve remote code execution.
“All previous versions of SolarWinds Web Help Desk prior to 12.8.7 HF1 are vulnerable to these vulnerabilities,” said Huntress.
That’s the simple takeaway: patch the SolarWinds WHD application as a matter of urgency. This includes customers who didn’t patch September 2025’s CVE-2025-26399, also used as part of the recent attacks.
That requires upgrading to WHD 2026.1 whilst paying attention to the caveats set out by SolarWinds in its release notes. Any instances of Velociraptor, Cloudflared, or Zoho Assist (also utilized in campaigns) should be considered suspicious, as well as ‘silent’ MSI installations spawned by WHD.
Huntress also recommends placing WHD behind a VPN or firewall and resetting all service or admin account passwords, as well as any credentials stored within WHD itself.