CVE-2025-40551: SolarWinds Web Help Desk Vulnerability Actively Exploited

CISA has added a critical SolarWinds Web Help Desk vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that the flaw is being actively exploited in real-world attacks. This move highlights the growing speed at which cybercriminals weaponize newly disclosed security flaws and the urgent need for organizations to apply patches without delay.

The vulnerability, tracked as CVE-2025-40551, carries a CVSS score of 9.8, making it a critical-severity issue. According to CISA, the flaw is caused by the deserialization of untrusted data, which can allow an attacker to achieve remote code execution (RCE) on affected systems.

SolarWinds Web Help Desk (WHD) is a widely used IT service management and help desk solution across enterprises, government agencies, and educational institutions. Because WHD often runs with elevated privileges and has access to internal systems, any critical vulnerability in the software poses a serious security risk.

CISA explained that CVE-2025-40551 allows attackers to send maliciously crafted data to the application. If successfully exploited, this vulnerability can enable an attacker to execute arbitrary commands on the underlying host machine. Even more concerning, the attack does not require authentication, meaning threat actors could exploit it without valid login credentials.

In simple terms, this flaw could let attackers take control of vulnerable servers remotely, potentially leading to data theft, malware deployment, ransomware attacks, or full system compromise.

SolarWinds responded quickly and released security updates for Web Help Desk version 2026.1, which address CVE-2025-40551 along with several other serious vulnerabilities. The additional flaws fixed in this release include:

• CVE-2025-40536 (CVSS 8.1)

• CVE-2025-40537 (CVSS 7.5)

• CVE-2025-40552 (CVSS 9.8)

• CVE-2025-40553 (CVSS 9.8)

• CVE-2025-40554 (CVSS 9.8)

Many of these vulnerabilities also carry high or critical severity ratings, reinforcing the importance of upgrading to the latest version as soon as possible.

At present, no public technical details have been released about how CVE-2025-40551 is being exploited, who the attackers are, or which organizations are being targeted. However, its inclusion in the KEV Catalog confirms that exploitation is already happening, making it a high-priority issue for defenders.

Alongside the SolarWinds Web Help Desk flaw, CISA also added three other actively exploited vulnerabilities to the KEV list. These vulnerabilities affect widely deployed enterprise platforms and could be leveraged for unauthorized access or remote attacks.

Sangoma FreePBX Authentication Bypass CVE-2019-19006

This vulnerability (CVSS score: 9.8) impacts Sangoma FreePBX, a popular open-source PBX system. It allows attackers to bypass authentication mechanisms and gain unauthorized access to services managed by the FreePBX administrator. Exploitation could result in call interception, fraud, or further network compromise.

Sangoma FreePBX Command Injection CVE-2025-64328

With a CVSS score of 8.6, this flaw allows operating system command injection through a specific function in FreePBX. While authentication is required, a known user could exploit the vulnerability to run system commands and potentially gain remote access as the asterisk user.

GitLab SSRF Vulnerability CVE-2021-39935

This server-side request forgery (SSRF) vulnerability affects GitLab Community and Enterprise Editions. It allows unauthenticated external attackers to send server-side requests via the CI Lint API, which could be abused to access internal resources or cloud metadata services.