CISA Orders Patching of Exploited SolarWinds Web Help Desk RCE (CVE-2025-40551)
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551—a critical (CVSS 9.8) SolarWinds Web Help Desk (WHD) vulnerability—to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. The flaw is described as deserialization of untrusted data that can enable unauthenticated remote code execution, potentially allowing full compromise of affected WHD servers; the issue was reported to SolarWinds by Horizon3.ai researcher Jimi Sebree.
CISA also issued a directive requiring U.S. federal civilian agencies to patch CVE-2025-40551 by the stated deadline, and SolarWinds released a fix in Web Help Desk version 2026.1. Reporting tied the bug to a prior WHD issue (CVE-2024-28986) and characterized CVE-2025-40551 as part of a sequence of vulnerabilities involving bypasses of earlier fixes; CISA’s KEV update also included additional exploited flaws in Sangoma FreePBX (including CVE-2019-19006 and CVE-2025-64328) and GitLab (CVE-2021-39935, SSRF), expanding the set of vulnerabilities agencies must remediate under KEV timelines.
Timeline
Feb 3, 2026
CISA orders federal agencies to patch SolarWinds WHD by February 6
After warning that attackers were actively exploiting CVE-2025-40551, CISA set an accelerated deadline of February 6, 2026 for federal civilian agencies to patch the SolarWinds Web Help Desk flaw. The other newly added KEV vulnerabilities were given a later remediation deadline of February 24, 2026.
Feb 3, 2026
CISA adds CVE-2025-40551 and three other flaws to the KEV catalog
CISA updated its Known Exploited Vulnerabilities catalog to add SolarWinds Web Help Desk CVE-2025-40551, two Sangoma FreePBX flaws, and GitLab CVE-2021-39935, citing active exploitation or credible in-the-wild risk. The KEV addition formally required U.S. federal civilian agencies to remediate the issues under BOD 22-01.
Jan 28, 2026
SolarWinds releases Web Help Desk 2026.1 to patch CVE-2025-40551
SolarWinds disclosed CVE-2025-40551 and released Web Help Desk version 2026.1 to fix the critical unauthenticated deserialization flaw, along with several other security issues. The patch release followed reports from Horizon3.ai and watchTowr.
Dec 5, 2025
Horizon3.ai reports SolarWinds WHD flaw CVE-2025-40551 to SolarWinds
Horizon3.ai researcher Jimi Sebree traced a new SolarWinds Web Help Desk vulnerability, CVE-2025-40551, back to an earlier 2024 issue and reported it to SolarWinds. The report was made on December 5, 2025.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Sources
Related Stories
CISA Flags Actively Exploited SolarWinds Web Help Desk Flaw as Metasploit Adds Exploit Modules
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, including a critical **SolarWinds Web Help Desk (WHD)** security protection bypass tracked as `CVE-2025-40536` (CVSS 9.8). The issue stems from flawed CSRF-check logic that relies on a whitelist of query parameters, which can be bypassed with crafted URI parameters to reach restricted functionality without authentication; SolarWinds patched the flaw in *WHD 2026.1*. CISA set an accelerated remediation deadline for U.S. Federal Civilian Executive Branch agencies, and Microsoft separately reported an active campaign targeting SolarWinds WHD but did not confirm whether `CVE-2025-40536` was the specific vulnerability exploited. Rapid7 reported that **Metasploit added exploit module support for SolarWinds WHD vulnerabilities `CVE-2025-40536` and `CVE-2025-40551`**, enabling post-exploitation sessions running as `NT AUTHORITY\SYSTEM` when successful. This increases operational risk for unpatched environments by lowering the barrier to exploitation and reinforces the urgency of applying SolarWinds’ available fixes and validating exposure of WHD instances, particularly those reachable from untrusted networks.
1 months ago
Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk
SolarWinds released security updates for *Web Help Desk (WHD)* to address multiple critical vulnerabilities that could allow **unauthenticated remote attackers** to bypass authentication and achieve **remote code execution (RCE)**. The patched issues include two critical authentication bypass flaws, **CVE-2025-40552** and **CVE-2025-40554** (reported by watchTowr researcher Piotr Bazydlo), and two critical RCE flaws tied to **untrusted data deserialization**, **CVE-2025-40553** (Bazydlo) and **CVE-2025-40551** (reported by Horizon3.ai researcher Jimi Sebree), enabling remote command execution without prior access. SolarWinds also fixed a high-severity **hardcoded credentials** issue, **CVE-2025-40537**, which could enable unauthorized access to administrative functions under certain conditions. The vendor advised administrators to upgrade to **Web Help Desk 2026.1** and patch quickly, noting WHD has a history of being targeted and previously had vulnerabilities flagged as actively exploited by CISA, reinforcing the likelihood of rapid attacker interest following disclosure and patch availability.
1 months ago
Active Exploitation of SolarWinds Web Help Desk Insecure Deserialization (CVE-2025-26399)
**CVE-2025-26399** is a **critical insecure deserialization** flaw (CWE-502) in *SolarWinds Web Help Desk* that enables **unauthenticated remote code execution/command execution** over the network. The issue resides in the product’s **`AjaxProxy`** component, where untrusted serialized data can be processed without sufficient validation, allowing an attacker to deliver a crafted payload that results in arbitrary command execution on the host running the help desk application. Multiple reports indicate the vulnerability is **actively exploited in the wild**, prompting **CISA** to add CVE-2025-26399 to the **Known Exploited Vulnerabilities (KEV)** catalog. NetSPI notes the flaw was disclosed in 2025 and is described as a **patch bypass** related to earlier issues (**CVE-2024-28988** and **CVE-2024-28986**), and recommends immediate remediation by upgrading to **SolarWinds Web Help Desk 12.8.7 Hotfix 1 or later**; if patching is delayed, organizations should restrict network exposure of the server and increase monitoring for suspicious process execution and outbound connections.
1 months ago