CISA has added a critical SolarWinds Web Help Desk deserialization vulnerability (CVE-2025-40551) to its KEV catalog after confirming active exploitation, requiring federal agencies to patch by February 6, 2026.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical security flaw in SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog, marking it as actively exploited in real-world attacks.
The vulnerability, tracked as CVE-2025-40551 with a CVSS score of 9.8, is a deserialization of untrusted data vulnerability that could allow remote code execution without authentication. "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine," CISA stated. "This could be exploited without authentication."
SolarWinds addressed this critical flaw alongside several others in WHD version 2026.1, including:
- CVE-2025-40536 (CVSS 8.1)
- CVE-2025-40537 (CVSS 7.5)
- CVE-2025-40552 (CVSS 9.8)
- CVE-2025-40553 (CVSS 9.8)
- CVE-2025-40554 (CVSS 9.8)
While specific details about how attackers are weaponizing CVE-2025-40551 remain undisclosed, the addition to CISA's KEV catalog confirms active exploitation. This follows a concerning pattern of threat actors rapidly exploiting newly disclosed vulnerabilities.
CISA also added three additional vulnerabilities to the KEV catalog:
CVE-2019-19006 (CVSS 9.8) - An improper authentication vulnerability in Sangoma FreePBX that potentially allows unauthorized users to bypass password authentication and access administrative services.
CVE-2025-64328 (CVSS 8.6) - An operating system command injection vulnerability in Sangoma FreePBX that could allow post-authentication command injection via the testconnection -> check_ssh_connect() function, potentially granting remote access as an asterisk user.
CVE-2021-39935 (CVSS 7.5/6.8) - A server-side request forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions that could allow unauthorized external users to perform server-side requests via the CI Lint API. GreyNoise highlighted exploitation of this vulnerability in March 2025 as part of a coordinated surge in SSRF abuse across multiple platforms.
Federal Civilian Executive Branch (FCEB) agencies face strict deadlines under Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. Agencies must patch CVE-2025-40551 by February 6, 2026, and the remaining vulnerabilities by February 24, 2026.
This development underscores the critical importance of prompt patch management, particularly for vulnerabilities with high CVSS scores that enable remote code execution without authentication. Organizations using SolarWinds Web Help Desk should prioritize updating to version 2026.1 immediately to mitigate this actively exploited threat.
For organizations unable to patch immediately, implementing network segmentation, monitoring for unusual deserialization activity, and restricting access to WHD interfaces can provide interim protection while updates are deployed.
Comments
Please log in or register to join the discussion