The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added a critical security flaw affecting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog. This designation, announced on Tuesday, signals that the vulnerability is currently being actively exploited by threat actors in real-world attacks, a swift move highlighting the evolving threat landscape for software security. The issue underscores the ongoing importance of addressing software vulnerabilities promptly to protect critical infrastructure.
This newly cataloged vulnerability, identified as CVE-2025-40551, carries a severe CVSS score of 9.8, indicating a high level of risk. CISA states that the flaw is an untrusted data deserialization vulnerability. Such vulnerabilities can be particularly dangerous as they may allow attackers to execute arbitrary code remotely on vulnerable systems without requiring any form of authentication, bypassing standard security measures.
Active Exploitation of SolarWinds Web Help Desk Vulnerability
The untrusted data deserialization flaw within SolarWinds Web Help Desk allows an attacker to execute commands on the host machine, according to CISA. The agency emphasized that this exploit can be carried out without the need for prior authentication, significantly lowering the barrier for potential attackers and increasing the potential scope of impact for organizations using the affected software.
SolarWinds, the software vendor, has already released patches to address this critical security hole. The fixes were included in version 2026.1 of the Web Help Desk software. Alongside CVE-2025-40551, SolarWinds also provided patches for several other vulnerabilities discovered within the product.
Other Vulnerabilities Addressed by SolarWinds
The new version of Web Help Desk also includes fixes for CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8). While specific details on how CVE-2025-40551 is being weaponized, the targets, or the scale of ongoing attacks remain undisclosed, its inclusion in the KEV catalog signifies immediate concern for organizations utilizing the affected product.
The rapid exploitation of newly disclosed vulnerabilities is a recurring theme in cybersecurity. This incident with SolarWinds Web Help Desk serves as a reminder that once a flaw is publicly known and patched, threat actors actively seek to leverage it before all affected entities can implement the necessary security updates.
Additional Vulnerabilities Added to KEV Catalog
In addition to the SolarWinds Web Help Desk vulnerability, CISA also added three other critical flaws to its KEV catalog, signaling widespread active exploitation across various software platforms. These additions highlight diverse attack vectors and target different types of systems.
One such vulnerability, CVE-2019-19006 (CVSS score: 9.8), impacts Sangoma FreePBX. It is described as an improper authentication vulnerability that could permit unauthorized users to bypass password protections and gain access to administrator services. This type of flaw can lead to significant unauthorized access and control within an organization’s communication systems.
Another critical vulnerability affecting Sangoma FreePBX is CVE-2025-64328 (CVSS score: 8.6). This flaw involves operating system command injection, allowing an authenticated user to inject commands and potentially gain remote access to the system. The vulnerability can be exploited through the `testconnection -> check_ssh_connect()` function as an asterisk user.
Furthermore, CVE-2021-39935 (CVSS score: 7.5/6.8) in GitLab Community and Enterprise Editions was also added. This server-side request forgery (SSRF) vulnerability enables unauthorized external users to initiate server-side requests via the CI Lint API. The exploitation of CVE-2021-39935 was previously noted by threat intelligence firm GreyNoise in March 2025, as part of a broader surge in the abuse of SSRF vulnerabilities across various platforms, including Zimbra, VMware vCenter, and Ivanti Connect Secure.
Federal Civilian Executive Branch (FCEB) agencies are mandated to address CVE-2025-40551 by February 6, 2026. For the remaining vulnerabilities added to the KEV catalog, the deadline for FCEB agencies is February 24, 2026, in accordance with Binding Operational Directive (BOD) 22-01, which aims to reduce the significant risk posed by known exploited vulnerabilities.