The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw affecting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog, flagging it as being actively exploited in attacks.
This vulnerability, tracked as CVE-2025-40551 (CVSS score: 9.8), is an untrusted data deserialization vulnerability that could lead to remote code execution.
“SolarWinds Web Help Desk contains an untrusted data deserialization vulnerability that could lead to remote code execution, allowing an attacker to execute commands on the host machine,” CISA said. “This can be exploited without authentication.”
SolarWinds last week issued fixes for this flaw: CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8) Published with CVE-2025-40554 (CVSS score: 9.8), WHD version 2026.1.
At this time, it has not been disclosed how this vulnerability is being exploited, who is targeted, or the scale of the attack. This is the latest example of how threat actors are moving quickly to exploit newly revealed flaws.
Three other vulnerabilities have been added to the KEV catalog.
CVE-2019-19006 (CVSS Score: 9.8) – Improper authentication vulnerability in Sangoma FreePBX could allow an unprivileged user to bypass password authentication and gain access to services provided by a FreePBX administrator CVE-2025-64328 (CVSS Score: 8.6) – Sangoma FreePBX Operating System Commands Injection vulnerability could allow post-authentication command execution CVE-2021-39935 (CVSS score: 7.5/6.8) – Server-side request forgery (SSRF) in GitLab Community and Enterprise Editions could be injected by a known authenticated user via the testconnection -> check_ssh_connect() function and gain remote access to the system as the Asterisk user. A vulnerability could allow an unprivileged external user to make server-side requests via the CI Lint API.
It is worth noting that the exploitation of CVE-2021-39935 was brought to our attention by GreyNoise in March 2025 as part of a coordinated spike in SSRF vulnerability exploitation across multiple platforms including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.
Federal Civilian Executive Branch (FCEB) agencies must remediate CVE-2025-40551 by February 6, 2026, and the remainder by February 24, 2026, in accordance with Binding Operating Directive (BOD) 22-01: Reducing the Significant Risk of Exploited Known Vulnerabilities.
Source link
