CISA Flags Critical SolarWinds Web Help Desk Vulnerability Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security flaw affecting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild.
Identified as CVE-2025-40551 with a CVSS score of 9.8, this vulnerability stems from the deserialization of untrusted data, potentially leading to remote code execution. CISA’s advisory highlights that this flaw could allow an attacker to run commands on the host machine without requiring authentication.
In response, SolarWinds has released patches addressing this and other vulnerabilities, including CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8), all incorporated in WHD version 2026.1.
While specific details regarding the exploitation methods, targets, or the scale of attacks remain undisclosed, this development underscores the rapid pace at which threat actors are leveraging newly disclosed vulnerabilities.
Additionally, CISA has expanded its KEV catalog to include three other vulnerabilities:
– CVE-2019-19006 (CVSS score: 9.8): An improper authentication flaw in Sangoma FreePBX, potentially allowing unauthorized users to bypass password authentication and access administrative services.
– CVE-2025-64328 (CVSS score: 8.6): An operating system command injection vulnerability in Sangoma FreePBX, enabling authenticated users to execute arbitrary commands via the testconnection -> check_ssh_connect() function, potentially gaining remote system access.
– CVE-2021-39935 (CVSS score: 7.5/6.8): A server-side request forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions, allowing unauthorized external users to perform server-side requests via the CI Lint API.
Notably, the exploitation of CVE-2021-39935 was highlighted by GreyNoise in March 2025, amidst a surge in the abuse of SSRF vulnerabilities across multiple platforms, including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.
The abuse of CVE-2019-19006 dates back to November 2020, when Check Point detailed a cyber fraud operation named INJ3CTOR3. This operation exploited the flaw to compromise VoIP servers, subsequently selling access to the highest bidders. As recently as last week, Fortinet reported that the threat actor behind this activity has been exploiting CVE-2025-64328 since early December 2025 to deploy a web shell known as EncystPHP.
Security researcher Vincent Li noted that in 2022, the threat actor shifted focus to the Elastix system via CVE-2021-45461. These incidents typically begin with the exploitation of a FreePBX vulnerability, followed by the deployment of a PHP web shell in the target environments.
Once activated, EncystPHP attempts to collect FreePBX database configurations, establishes persistence by creating a root-level user named ‘newfpbx,’ resets multiple user account passwords, and modifies the SSH authorized_keys file to ensure remote access. The web shell also provides an interactive interface supporting several predefined operational commands, including file system enumeration, process inspection, querying active Asterisk channels, listing Asterisk SIP peers, and retrieving multiple FreePBX and Elastix configuration files.
Li explained that by leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment. Such activity can blend into legitimate FreePBX and Elastix components, potentially evading immediate detection and leaving affected systems exposed to risks like long-term persistence, unauthorized administrative access, and abuse of telephony resources.
Federal Civilian Executive Branch (FCEB) agencies are mandated to address CVE-2025-40551 by February 6, 2026, and the remaining vulnerabilities by February 24, 2026, in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.
