Patch now! Attacks on SolarWinds Web Help Desk observed again

For the repeated time, attackers have targeted systems with the ticketing software SolarWinds Web Help Desk (WHD). Following successful attacks, it is to be assumed that PCs are fully compromised. Security patches are available for download.

Background

The US cybersecurity agency CISA recently warned of attacks on a “critical” malware vulnerability (CVE-2025-40551). Now, security researchers from Huntress and Microsoft have documented attacks on another malware vulnerability (CVE-2025-26399, “critical”). This vulnerability became publicly known in September of last year.

The vulnerability exists in the AjaxProxy component, and attackers are said to exploit it remotely and without authentication. Subsequently, they can execute malicious code on the host system. After successful attacks, attackers establish a backdoor in systems. For this, they allegedly misuse legitimate applications such as the remote monitoring and management tool Zoho ManageEngine. Additionally, attackers attempt to disable the Defender antivirus scanner and the firewall under Windows.

Admins should ensure that they have installed at least the SolarWinds WHD version 2026.1, which is secured against this attack. All previous versions are said to be vulnerable. SolarWinds developers have compiled further information on updating instances in a post.

Furthermore, security researchers recommend not making admin access publicly accessible. If this is unavoidable, a VPN tunnel must protect connections. Admins should also reset all access credentials.

(des)