A US security agency has warned SolarWinds Web Help Desk users that a remote code execution (RCE) vulnerability patched by the vendor last week is being actively exploited.
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) Catalog yesterday, giving federal civilian agencies until Friday to patch it.
The CVE has a CVSS score of 9.8 as it could allow unauthenticated adversaries to gain admin-level access to help-desk systems in low complexity attacks.
It’s described by CISA as a “deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine.”
Read more on SolarWinds CVEs: SolarWinds Urges Upgrade After Revealing Critical RCE Bug.
The three-day deadline mandated by CISA hints at the seriousness of potential exploitation. The popular IT ticketing software is used across government, but also in the private sector, especially in education and healthcare.
Although CISA’s KEV applies only to federal agencies, enterprises should broadly follow the same advice in order to minimize their attack surface.
Four Critical Vulnerabilities Identified
Discovered by Jimi Sebree of Horizon3.ai, CVE-2025-40551 is one of four critical vulnerabilities found in SolarWinds Web Help Desk and fixed by the vendor in an update on January 28.
The remaining three were found by Piotr Bazydlo from watchTowr. CVE-2025-40553 is given the exact same description as CVE-2025-40551: a deserialization of untrusted data RCE vulnerability.
CVE-2025-40552 is an authentication bypass vulnerability which could allow an attacker to “execute actions and methods that should be protected by authentication.” CVE-2025-40554 is also an authentication bypass vulnerability, but one which, if exploited, “could allow an attacker to invoke specific actions within Web Help Desk.”
All four are assigned CVSS scores of 9.8, although only CVE-2025-40551 appears to be under active exploitation at the time of writing.
Attackers could chain CVE-2025-40552 or CVE-2025-40554 with CVE-2025-40551 or CVE-2025-40553 to gain complete control of targeted systems for lateral movement, data theft and ransomware.
Customers are urged to update vulnerable servers to Web Help Desk 2026.1 as soon as possible according to SolarWinds’ instructions.
Image credit: Ascannio / Shutterstock.com
