SolarWinds Web Help Desk Under Active Attack: Critical RCE Exploits Deploy Velociraptor in the Wild
SolarWinds is back in the headlines, and not in a good way. Attackers are actively exploiting critical remote code execution flaws in Web Help Desk, deploying sophisticated reconnaissance tooling in multi-stage attacks. Security researchers are raising alarms about potential zero-day exploitation.
What Happened
Multiple security research teams have confirmed active exploitation of critical RCE vulnerabilities in SolarWinds Web Help Desk (WHD). The attacks follow a deliberate pattern: threat actors compromise exposed WHD servers, establish persistence, then deploy Velociraptor—a legitimate endpoint visibility and forensic tool that’s increasingly weaponized by attackers for reconnaissance and lateral movement.
Here’s the concerning part. While SolarWinds has released patches for known vulnerabilities, security researchers are seeing exploitation patterns that suggest attackers may have been working with zero-day knowledge before public disclosure. The timeline is murky, but the exploitation is real and happening now.
Critical detail: Velociraptor isn’t malware in the traditional sense. It’s an open-source incident response platform that security teams use legitimately. Attackers are using it against organizations precisely because it blends into normal security operations and evades detection.
The multi-stage nature of these attacks shows sophistication. Initial compromise leverages the RCE vulnerability. Then attackers establish a foothold, deploy Velociraptor for environmental awareness, and prepare for subsequent actions—whether that’s data exfiltration, ransomware deployment, or further network penetration.
Who’s Affected
Any organization running SolarWinds Web Help Desk with internet-facing instances is at immediate risk. WHD is commonly deployed by IT service management teams, making this particularly dangerous for managed service providers (MSPs) who could become conduits to client networks.
Enterprise IT departments, educational institutions, government agencies, and healthcare organizations all use WHD for ticketing and asset management. If your WHD instance is externally accessible and unpatched, assume you’re either already compromised or being actively scanned.
The MSP angle deserves emphasis. A compromised help desk system gives attackers visibility into client environments, support tickets containing sensitive information, and potential access credentials. One compromised MSP can cascade into dozens of downstream breaches.
What You Should Do Now
Immediate Actions
- Audit all SolarWinds Web Help Desk instances in your environment. Know what version you’re running and whether it’s internet-facing.
- Apply SolarWinds security patches immediately if you haven’t already. Don’t wait for a maintenance window—this is emergency patching territory.
- Hunt for Velociraptor deployments on systems that shouldn’t have it. Check for the velociraptor.exe process, service installations, and network connections to unexpected command-and-control infrastructure.
- Review WHD access logs for suspicious authentication patterns, particularly privileged account access from unusual IP addresses or geographic locations.
- If you find indicators of compromise, isolate affected systems and initiate your incident response plan before attempting remediation.
Longer-Term Hardening
- Remove internet accessibility from WHD instances wherever possible. Use VPN access for remote administration instead of direct exposure.
- Implement network segmentation so your help desk system can’t serve as a pivot point into critical infrastructure.
- Deploy endpoint detection and response (EDR) tools that can identify living-off-the-land (LOTL) techniques, where attackers use legitimate tools maliciously.
- Establish application allowlisting policies that flag unexpected tool deployments, even for legitimate security software like Velociraptor.
The Certification Connection
CISSP Domain 7: Security Operations
This incident hits directly at security operations and incident response. CISSP exam objectives cover vulnerability management programs, patch deployment processes, and incident handling procedures—all critical components when responding to active exploitation. The exam tests your ability to prioritize patching based on exploitability and business impact, exactly the decision-making required here. You’ll also need to understand detection methodologies for identifying compromised systems and the forensic procedures for investigating multi-stage attacks. Training Camp’s CISSP bootcamp includes hands-on labs where you practice incident response scenarios that mirror real-world situations like this SolarWinds exploitation.
CEH Module 6: System Hacking
The CEH curriculum covers remote code execution vulnerabilities and the techniques attackers use to exploit them. Understanding how threat actors chain vulnerabilities together in multi-stage attacks is fundamental to ethical hacking knowledge. This SolarWinds case demonstrates privilege escalation, persistence mechanisms, and the deployment of post-exploitation tools—all topics CEH candidates must master. The exam tests your knowledge of how attackers maintain access and avoid detection, which is exactly what’s happening with Velociraptor deployment in these compromises. Check out the CEH bootcamp curriculum to see how we cover exploitation techniques and defensive countermeasures.
CompTIA Security+ Objective 3.2: Host and Application Security
Security+ emphasizes vulnerability scanning, patch management, and security baselines—all relevant to preventing incidents like this. The exam tests your understanding of when to apply patches (immediately for critical RCE vulnerabilities affecting internet-facing systems), how to verify patch success, and what compensating controls to implement when patching isn’t immediately possible. You need to know the difference between routine patching and emergency response scenarios. Our CompTIA Security+ bootcamp teaches practical approaches to vulnerability management that go beyond theory.
The Bigger Picture
This isn’t SolarWinds’ first rodeo with major security incidents. The 2020 Sunburst supply chain attack is still fresh in everyone’s memory. While this WHD exploitation is fundamentally different—targeting the product itself rather than the update mechanism—the SolarWinds name carries baggage that makes every new vulnerability a trust crisis.
The weaponization of legitimate security tools represents an evolving challenge for defenders. Velociraptor is valuable for incident response teams precisely because of its powerful capabilities. But those same capabilities make it dangerous in attacker hands. We’re seeing similar patterns with other legitimate tools like Cobalt Strike, Mimikatz, and PowerShell Empire.
Detection becomes harder when you can’t simply block or flag the tool itself. You need behavioral analytics that understand normal versus anomalous usage patterns. An IR team deploying Velociraptor during a known incident investigation looks very different from an unauthorized installation following suspicious authentication activity.
The zero-day question remains unresolved. If attackers were exploiting these vulnerabilities before public disclosure, we need to ask how they discovered them and whether other undisclosed vulnerabilities exist. Organizations can’t wait for patches to appear—you need defense-in-depth strategies that assume breach and limit attacker movement even after initial compromise.
Bottom line: Patch your SolarWinds Web Help Desk instances immediately, audit for signs of Velociraptor deployment, and seriously consider removing internet accessibility from your WHD servers. This isn’t theoretical risk—it’s confirmed active exploitation with sophisticated multi-stage attacks. Understanding how to respond to incidents like this isn’t just good security practice, it’s essential certification knowledge that demonstrates real-world capability in programs like CISSP and CEH.