CISA Flags Critical SolarWinds Web Help Desk Vulnerability Amid Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently added a critical security vulnerability affecting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog, highlighting active exploitation in the wild.
Identified as CVE-2025-40551 with a CVSS score of 9.8, this flaw involves the deserialization of untrusted data, potentially leading to remote code execution. This vulnerability allows attackers to execute arbitrary commands on the host machine without requiring authentication. CISA emphasized the severity, stating, SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
In response, SolarWinds has released patches addressing this and other vulnerabilities, including CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8), all incorporated in WHD version 2026.1.
While specific details regarding the exploitation methods, targets, or the scale of attacks remain undisclosed, this development underscores the rapid pace at which threat actors are leveraging newly disclosed vulnerabilities.
In addition to the SolarWinds vulnerability, CISA has expanded its KEV catalog to include three other actively exploited vulnerabilities:
– CVE-2019-19006 (CVSS score: 9.8): An improper authentication flaw in Sangoma FreePBX, potentially allowing unauthorized users to bypass password authentication and access services provided by the FreePBX administrator.
– CVE-2025-64328 (CVSS score: 8.6): An operating system command injection vulnerability in Sangoma FreePBX, enabling post-authentication command injection by an authenticated user via the testconnection -> check_ssh_connect() function, potentially granting remote access to the system as an asterisk user.
– CVE-2021-39935 (CVSS score: 7.5/6.8): A server-side request forgery (SSRF) vulnerability in GitLab Community and Enterprise Editions, allowing unauthorized external users to perform server-side requests via the CI Lint API.
Notably, the exploitation of CVE-2021-39935 was highlighted by GreyNoise in March 2025, as part of a coordinated surge in the abuse of SSRF vulnerabilities across multiple platforms, including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.
The abuse of CVE-2019-19006 dates back to November 2020, when Check Point disclosed details of a cyber fraud operation codenamed INJ3CTOR3. This operation leveraged the flaw to compromise VoIP servers, subsequently selling access to the highest bidders. As recently as last week, Fortinet revealed that the threat actor behind this activity has weaponized CVE-2025-64328 starting early December 2025 to deploy a web shell known as EncystPHP.
EncystPHP, once deployed, attempts to collect FreePBX database configurations, establishes persistence by creating a root-level user named ‘newfpbx,’ resets multiple user account passwords, and modifies the SSH authorized_keys file to ensure remote access. The web shell also provides an interactive interface supporting several predefined operational commands, including file system enumeration, process inspection, querying active Asterisk channels, listing Asterisk SIP peers, and retrieving multiple FreePBX and Elastix configuration files.
By leveraging Elastix and FreePBX administrative contexts, the web shell operates with elevated privileges, enabling arbitrary command execution on the compromised host and initiating outbound call activity through the PBX environment. Such activity may evade immediate detection, leaving affected systems exposed to significant risks, including long-term persistence, unauthorized administrative access, and abuse of telephony resources.
Federal Civilian Executive Branch (FCEB) agencies are mandated to address CVE-2025-40551 by February 6, 2026, and the remaining vulnerabilities by February 24, 2026, in accordance with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities.
