Researchers delve inside new SolarWinds RCE assault chain
Researchers at Huntress Safety have printed new information on exploitation of a crucial SolarWinds Net Assist Desk (WHD) vulnerability, revealing how in not less than three recognized incidents, attackers carried out in depth post-exploitation exercise with a typical set of instruments, together with authentic providers reminiscent of Zoho ManageEngine and Elastic
Tracked as CVE-2025-40551, the info deserialisation vulnerability was first flagged by SolarWinds on 28 January and final week, was added to the US Cybersecurity and Infrastructure Safety Company’s (Cisa) Identified Exploited Vulnerabilities (Kev) useful resource mandating that US authorities our bodies repair it instantly.
“Menace actors are actively weaponising WHD vulnerabilities to attain distant code execution [RCE] and deploy further tooling in sufferer environments,” stated the Huntress workforce.
The analysis workforce at Huntress – which protects a number of SolarWinds prospects by means of its channel – discovered that having damaged into their sufferer environments, the attackers took management of WMD’s service wrapper to spawn the underlying Java software, which enabled them to put in a payload, which was in actual fact a Zoho ManageEngine distant monitoring and administration (RMM) agent.
This carried out, the risk actor used the RMM agent to execute a number of Lively Listing discovery instructions to enumerate the setting. Shortly after this, they opened a Zoho Help distant session which they used to put in the open supply digital forensics and incident response (DFIR) device Velociraptor.
“Whereas Velociraptor is designed to assist defenders with endpoint monitoring and artifact assortment, its capabilities, reminiscent of distant command execution, file retrieval, and course of execution through VQL queries, make it equally efficient as a C2 [Command and Control] framework when pointed at attacker-controlled infrastructure,” stated Huntress.
Within the cases its workforce investigated, the attackers had been truly utilizing a fairly outdated model of Velociraptor that itself contained a privilege escalation flaw disclosed in 2025. Furthermore, the Velociraptor server infrastructure pointed again to a recognized Cloudflare account related to the Warlock ransomware operation, a attainable trace to the provenance of the marketing campaign.
Alongside Velociraptor, the risk actor additionally downloaded Cloudflared, the command line shopper for Cloudflare Tunnel, probably in an effort to set up a second redundant technique of entry.
They then proceeded to execute a PowerShall script to gather system info – information reminiscent of working system model, {hardware} spec, area membership, put in hotfixes – that was exfiltrated to a authentic Elastic Cloud occasion being run as a free trial on Elastic’s software-as-a-service (SaaS) infrastructure.
The researchers stated it was considerably ironic that the risk actor had primarily constructed themselves a safety info and occasion administration (SIEM) resolution on Elastic’s infrastructure to triage their victims.
“Elastic’s personal tooling, usually utilized by defenders for risk looking and incident response, was repurposed as an attacker’s sufferer administration dashboard,” they stated.
“Now we have reported this malicious occasion to Elastic in addition to legislation enforcement and carried out sufferer notification and outreach to non-Huntress companions,” stated the Huntress workforce.
Microsoft studies on additional assaults
Huntress’ full write-up of its analysis, out there to learn in full right here, particulars varied different actions taken by the risk actor throughout the course of their intrusions. In the meantime, along with these findings, Microsoft has printed particulars of an analogous multi-stage intrusion orchestrated through SolarWinds WHD, though it has not but been capable of set up whether or not or not the attackers exploited CVE-2025-40551 or CVE-2025-26399 – one other RCE bug disclosed in September 2025 that bypassed a beforehand mounted flaw that in flip bypassed a 3rd subject first flagged in 2024.
The incident investigated by Microsoft noticed the attackers use the compromised WHD occasion to spawn PowerShell in an effort to obtain and execute Zoho ManageEngine to realize management of the system after which they carried out recon exercise whereas organising reverse safe shell (SSH) and distant desktop protocol (RDP) entry to take care of their bridgehead.
Microsoft additionally noticed the attackers making a scheduled job to launch a QEMU digital machine underneath the SYSTEM account on startup, which primarily allow them to disguise their exercise inside the virtualised setting. Huntress had additionally famous this in some cases.
On some hosts, Microsoft stated the attackers additionally used dynamic hyperlink library (DLL) sideloading to realize entry to Native Safety Authority Subsystem Service (LSASS) reminiscence in an effort to steal extra credentials.
Moreover patching and isolating compromised hosts, Microsoft is advising its customers to evict any RMM artifacts, significantly any related to ManageEngine, that will have been added after exploitation, and instantly rotate credentials for all service and admin accounts accessible from WHD.
