{"id":15770,"date":"2026-02-10T16:03:31","date_gmt":"2026-02-10T16:03:31","guid":{"rendered":"https:\/\/newestek.com\/?p=15770"},"modified":"2026-02-10T16:03:31","modified_gmt":"2026-02-10T16:03:31","slug":"solarwinds-whd-zero-days-from-january-are-under-attack","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15770","title":{"rendered":"SolarWinds WHD zero-days from January are under attack"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found.<\/p>\n

Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer systems first uncovered in December.<\/p>\n

On January 28, SolarWinds published an advisory<\/a> that mentioned six CVEs rated either \u2018critical\u2019 or \u2018high.\u2019 These included two zero-days with a CVSS score of 9.8: CVE-2025-40551<\/a>, a deserialization flaw allowing remote code execution (RCE), and CVE-2025-40536<\/a>, an authentication bypass.<\/p>\n

Even the Microsoft Defender Research Team, which detected WHD attacks on its customers before Christmas, was unsure exactly which combination had let attackers in: \u201cSince the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold,\u201d Microsoft researchers wrote<\/a> on February 6.<\/p>\n

However, in recent days Huntress confirmed<\/a> what was always the most likely explanation: Attackers had targeted three of its customers by chaining both of the above flaws in combination with an older RCE deserialization vulnerability, the critical-rated CVE-2025-26399, made public last September<\/a>.<\/p>\n

Once the systems were compromised, the attacks detected by Huntress used a mixture of techniques to burrow deeper while hiding themselves, including deploying the open-source Velociraptor forensic tool as a C2 connection backed by an encrypted Cloudflared outbound tunnel.<\/p>\n

Urgent patching<\/h2>\n

Given that SolarWinds estimates that its WHD service management and ticketing platform is used by 300,000 customers, it\u2019s not surprising that cybercriminals would take any opportunity to target it.<\/p>\n

WHD is built as a Java-based application that runs inside Apache Tomcat. Deserialization vulnerabilities are especially dangerous in this context because they allow an attacker to send a malicious serialized Java object in a request, which WHD automatically deserializes without authentication. At that point, the attackers can achieve remote code execution.<\/p>\n

\u201cAll previous versions of SolarWinds Web Help Desk prior to 12.8.7 HF1 are vulnerable to these vulnerabilities,\u201d said Huntress.<\/p>\n

That\u2019s the simple takeaway: patch the SolarWinds WHD application as a matter of urgency. This includes customers who didn\u2019t patch September 2025\u2019s CVE-2025-26399, also used as part of the recent attacks.<\/p>\n

That requires upgrading to WHD 2026.1 whilst paying attention to the caveats set out by SolarWinds in its release notes<\/a>. Any instances of Velociraptor, Cloudflared, or Zoho Assist (also utilized in campaigns) should be considered suspicious, as well as \u2018silent\u2019 MSI installations spawned by WHD.<\/p>\n

Huntress also recommends placing WHD behind a VPN or firewall and resetting all service or admin account passwords, as well as any credentials stored within WHD itself.<\/p>\n<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

SolarWinds Web Help Desk (WHD) is under attack, with recent incidents exploiting a chain of zero-day and patched vulnerabilities dating back to late 2025, an analysis of customer reports by security company Huntress has found. Until now, it has been unclear which combination of recent WHD vulnerabilities were behind a series of compromises of customer systems first uncovered in December. On January 28, SolarWinds published… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15770","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15770","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15770"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15770\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15770"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15770"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15770"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}