THREAT actors are pouncing on new vulnerabilities in SolarWinds Web Help Desk (WHD), highlighting the risks of exposing applications to the public Internet. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to the Known Exploited Vulnerabilities Catalog, with CVE-2025-40551 initially disclosed by SolarWinds on 28 January, along with five other WHD vulnerabilities.
In a blog post, Microsoft said it observed multistage intrusions against WHD instances and noted that attacks could involve both old and new CVEs, while also acknowledging uncertainty over which CVEs were used to gain initial footholds; the article also notes a February intrusion linked to a February 7 event and suggests some attacks may exploit CVE-2025-26399 or earlier flaws such as CVE-2024-28988.
Publicly accessible WHDs are at higher risk, with Huntress reporting a February 7 intrusion where attackers deployed Zoho Meetings and Cloudflare tunnels for persistence after gaining access via the WHD instance; Velociraptor was also used for C2, and a China-linked group tracked as Storm-2603 was observed abusing Velociraptor in October 2025. Shadowserver Foundation said its scans show approximately 170 vulnerable WHD instances, underscoring the exposure risk.
Microsoft Defender Research Team observed that living-off-the-land techniques and legitimate admin tools were used for lateral movement, beginning from Internet-exposed WHD instances, and Huntress urged organisations to shield WHD interfaces behind firewalls or VPNs and to update to version 2026.1 or later. according to Microsoft.