The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical vulnerability affecting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog, confirming that the flaw is being actively exploited in real world attacks.
The vulnerability, identified as CVE-2025-40551 with a CVSS score of 9.8, involves the deserialization of untrusted data. Successful exploitation of this flaw could allow attackers to achieve remote code execution on affected systems.
According to CISA, the issue enables threat actors to execute commands directly on the host machine without requiring authentication. This significantly increases the risk level, particularly for organizations running exposed or unpatched instances of SolarWinds Web Help Desk.
SolarWinds released security updates last week to address CVE-2025-40551, along with several other high severity vulnerabilities. These include CVE-2025-40536, CVE-2025-40537, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. All fixes are included in SolarWinds Web Help Desk version 2026.1.
At present, there is no publicly available information detailing how the vulnerability is being exploited, which threat groups are involved, or the scope of the attacks. However, the rapid inclusion of the flaw in the KEV catalog highlights how quickly attackers are weaponizing newly disclosed security issues.
In addition to the SolarWinds vulnerability, CISA has added three more actively exploited flaws to the KEV catalog:
- CVE-2019-19006 with a CVSS score of 9.8, an improper authentication flaw in Sangoma FreePBX that may allow attackers to bypass password protections and gain administrative access.
- CVE-2025-64328 with a CVSS score of 8.6, a command injection vulnerability in Sangoma FreePBX that can be exploited by authenticated users to execute system commands and potentially gain remote access as an asterisk user.
- CVE-2021-39935 with a CVSS score ranging between 7.5 and 6.8, a server-side request forgery vulnerability affecting GitLab Community and Enterprise Editions through the CI Lint API.
The exploitation of CVE-2021-39935 was previously highlighted by GreyNoise in March 2025. The activity was linked to a broader campaign involving the abuse of SSRF vulnerabilities across multiple platforms, including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.
Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are required to remediate CVE-2025-40551 by February 6, 2026. The remaining vulnerabilities must be addressed by February 24, 2026, to reduce the risk posed by known exploited security weaknesses.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
