Attackers Abuse SolarWinds Web Help Desk to Install Zoho Agents and Velociraptor

The recent SolarWinds Web Help Desk (WHD) incidents underscore how quickly vulnerabilities in widely deployed service‑desk platforms can be weaponized. CVE‑2025‑40551 and CVE‑2025‑26399, both cataloged in CISA’s Known Exploited Vulnerabilities list, grant attackers arbitrary code execution through untrusted deserialization. Because WHD often runs with elevated privileges and integrates with internal ticketing workflows, a successful exploit provides a privileged foothold that can cascade across an organization’s IT ecosystem.

Threat actors in this campaign demonstrated a layered approach to persistence and control. After compromising WHD, they silently installed a Zoho ManageEngine RMM agent, granting continuous remote access without user interaction. They then deployed Velociraptor, a forensic‑grade endpoint tool, as a covert command‑and‑control (C2) channel, routing traffic through Cloudflare Workers to obscure the traffic’s origin. Simultaneously, the adversaries disabled native defenses such as Windows Defender and the firewall, created Cloudflare tunnels, and scheduled QEMU‑based tasks to survive reboots, illustrating a sophisticated blend of off‑the‑shelf tools and custom scripts.

For enterprises, the incident reinforces the urgency of a proactive patch management strategy and strict network segmentation. Upgrading WHD to version 2026.1 eliminates the known RCE flaws, while placing administrative interfaces behind VPNs or firewalls reduces exposure. Organizations should also audit service accounts, rotate credentials, and monitor for unauthorized remote‑management binaries. As supply‑chain attacks continue to evolve, combining timely vulnerability remediation with robust detection controls remains the most effective defense against similar multi‑vector intrusions.