Skip to main content
Informa TechTarget |
Explore our brands An Informa TechTarget Publication
close search
site logo

Threat actors target SolarWinds Web Help Desk flaw

Researchers say hackers are using remote monitoring and other tools in compromised environments.

Published Feb. 9, 2026
David Jones's headshot
Reporter
Brainstorming IT Programmers Use Computer Together, Talk Strategy, Discuss Planning.
Getty Images

Security researchers warn that multiple enterprise customers have been compromised in connection with a critical flaw in SolarWinds Web Help Desk

Huntress Labs said that three customers have been exploited, and hackers are deploying remote assist tools against compromised hosts, according to a blog post released Sunday

The vulnerability, tracked as CVE-2025-40551, involves deserialization of untrusted data and allows an attacker to achieve remote code execution. Last Tuesday, the Cybersecurity and Infrastructure Security Agency added the flaw to its Known Exploited Vulnerabilities catalog, just days after SolarWinds patched the vulnerability. 

SolarWinds issued an advisory on Jan. 28 warning about the flaw and urged users to upgrade to a patched version. The flaw was previously discovered by researchers at Horizon3.ai. 

Shadowserver on Monday reported about 150 exposed instances of Web Help Desk, a slight decrease from the 170 figure it reported last week. 

In one case investigated by Huntress, a hacker deployed Zoho Meetings and Cloudflare to gain persistence and also used a tool called Velociraptor to gain command-and-control capabilities. 

Researchers said that hackers used the file-hosting service Catbox to stage a remote management tool called Zoho ManageAgent RMM, before switching to hands-on-keyboard activity. 

Huntress researchers believe a threat group tracked as Storm-2603 is behind the attacks. 

“Normally, these types of incidents would have led to Warlock ransomware, but in this case, it seems as if the attackers were still in reconnaissance mode, since their main objectives appeared to be to collect system information from as many victims as possible,” Jamie Levy, senior director, adversary tactics, told Cybersecurity Dive. 

In a separate case, researchers at Microsoft said hackers deployed a remote monitoring and management tool called Zoho ManageEngine on a compromised system, according to a blog post published Friday

Those researchers were unable to link the activity to CVE-2025-40551 and a security control bypass flaw, tracked as CVE-2025-40536, or a prior flaw, tracked as CVE-2025-26399

Filed Under: Vulnerability

Editors' picks

Company Announcements

View all | Post a press release
100 Telcos, 1.6 Billion Users, 700 % Growth – Whalebone to Become the Fastest-Growing Cybersec…
From Whalebone
February 09, 2026
Whalebone logo
DNS4EU Brings Sovereign, Protective DNS to Google Chrome Users Across Europe
From Whalebone
January 28, 2026
Whalebone logo
AU10TIX Collaborates with Microsoft to Reduce Fake Account Openings by 90% Using OneVet and Ve…
From AU10TIX
January 29, 2026
AU10TIX logo
Editors' picks
Latest in Vulnerability
Industry Dive is an Informa TechTarget business.
© 2026 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.