CISA Flags Critical SolarWinds Web Help Desk Vulnerability Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently identified a critical security flaw in SolarWinds Web Help Desk (WHD), adding it to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation in the wild. This vulnerability, designated as CVE-2025-40551 with a CVSS score of 9.8, involves the deserialization of untrusted data, potentially leading to remote code execution without the need for authentication.
CISA’s advisory highlights the severity of this issue, stating that the flaw could allow an attacker to run commands on the host machine, emphasizing the risk posed by unauthenticated exploitation. In response, SolarWinds has released patches addressing this and other vulnerabilities, including CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8), all incorporated in WHD version 2026.1.
While specific details regarding the exploitation methods, targets, or the scale of attacks remain undisclosed, this development underscores the rapid pace at which threat actors are leveraging newly disclosed vulnerabilities.
In addition to the SolarWinds flaw, CISA has added three other vulnerabilities to the KEV catalog:
– CVE-2019-19006 (CVSS score: 9.8): An improper authentication vulnerability in Sangoma FreePBX that may allow unauthorized users to bypass password authentication and access administrative services.
– CVE-2025-64328 (CVSS score: 8.6): An operating system command injection vulnerability in Sangoma FreePBX, enabling authenticated users to execute commands via the testconnection -> check_ssh_connect() function, potentially gaining remote access as an asterisk user.
– CVE-2021-39935 (CVSS score: 7.5/6.8): A server-side request forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions, allowing unauthorized external users to perform server-side requests via the CI Lint API.
Notably, the exploitation of CVE-2021-39935 was previously highlighted by GreyNoise in March 2025, as part of a coordinated surge in the abuse of SSRF vulnerabilities across multiple platforms, including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.
Federal Civilian Executive Branch (FCEB) agencies are mandated to address CVE-2025-40551 by February 6, 2026, and the remaining vulnerabilities by February 24, 2026, in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.
