CISA has added CVE-2025-40551, a critical deserialization vulnerability in SolarWinds Web Help Desk, to its catalog of actively exploited flaws, giving federal agencies just three days to patch.
CISA has added a critical deserialization vulnerability in SolarWinds Web Help Desk to its catalog of actively exploited flaws, mandating federal agencies to patch within three days while warning all organizations to act immediately.
Critical Vulnerability Details
The vulnerability, tracked as CVE-2025-40551, stems from an untrusted data deserialization weakness that could allow unauthenticated attackers to achieve remote code execution on vulnerable systems. The flaw was discovered and reported by Horizon3.ai security researcher Jimi Sebree.
SolarWinds addressed this issue alongside several other vulnerabilities when it released Web Help Desk 2026.1 on January 28, 2026. The patch bundle also included:
- CVE-2025-40537: A high-severity hardcoded credentials vulnerability (also discovered by Sebree)
- CVE-2025-40552 and CVE-2025-40554: Authentication bypass flaws reported by watchTowr's Piotr Bazydlo
All four vulnerabilities are remotely exploitable, making them particularly dangerous for organizations running unpatched installations.
Federal Mandate and Industry Warning
On February 3, 2026, CISA added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, triggering the three-day patching deadline for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive 22-01. This directive, issued in November 2021, requires federal agencies to patch critical vulnerabilities within specified timeframes when they're known to be actively exploited.
While BOD 22-01 applies only to federal agencies, CISA strongly recommends that all network defenders, including those in the private sector, prioritize patching their Web Help Desk installations immediately.
Historical Context of Web Help Desk Exploits
The urgency of this warning is underscored by the history of attacks targeting SolarWinds Web Help Desk. In October 2024, CISA flagged another Web Help Desk hardcoded credentials flaw as actively exploited in the wild. Prior to that, in September 2025, SolarWinds addressed a patch bypass for an earlier Web Help Desk RCE flaw that had also been exploited in attacks.
This pattern demonstrates that threat actors have consistently targeted Web Help Desk vulnerabilities, making timely patching essential for security.
Widespread Adoption Increases Risk
Web Help Desk is widely deployed across government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds claims that more than 300,000 customers worldwide use its IT management products, creating a substantial attack surface for threat actors.
The combination of widespread deployment, a history of successful exploits, and the critical nature of this latest vulnerability makes immediate action essential for organizations using the software.
Recommended Actions
Administrators should:
- Immediately update to Web Help Desk 2026.1 or later
- Review access logs for suspicious activity
- Consider implementing network segmentation for Web Help Desk servers
- Monitor for indicators of compromise related to these vulnerabilities
Given the active exploitation and the three-day federal deadline, organizations cannot afford to delay patching this critical vulnerability.
Comments
Please log in or register to join the discussion