A critical vulnerability in SolarWinds’ Web Help Desk service has been added to the US Cybersecurity and Infrastructure Security Agency’s (Cisa’s) Known Exploited Vulnerabilities (Kev) catalogue as exploitation spreads in the wild.
CVE-2025-40551 was among six common vulnerabilities and exposures (CVEs) disclosed by SolarWinds in an advisory at the end of January. It arises from Common Weakness Enumeration (CWE) 502 – deserialisation of untrusted data, and left unaddressed, enables an attacker to achieve remote code execution (RCE) on the target system.
The five other flaws listed in SolarWinds 28 January advisory are: CVE-2025-40552, an authentication bypass vulnerability; CVE-2025-40553, another RCE flaw arising from deserialisation; CVE-2025-40554 a second authentication bypass; CVE-2025-40536, which enables attackers to bypass access controls; and CVE-2025-40537, which may enable privilege elevation. All bear either high or critical Common Vulnerability Scoring System (CVSS) markers.
An update from SolarWinds taking Web Help Desk to version 2026.1 has since fixed all six issues.
In his analysis, researcher Jimi Sebree of Horizon3.ai, who discovered CVE-2025-40551 in early December, described it as “easily exploitable” and encouraged users to update as soon as possible, especially since it can be exploited without authentication.
“Attackers don’t always need ‘zero-day’ magic when they can just lean on reliable, low-complexity techniques like deserialisation. These flaws get buried in trusted, boring platforms like help desks, and that’s exactly why they’re so dangerous,” said Joe Brinkley, head of threat research at offensive security specialist Cobalt.
“Risks like this are often overlooked until Cisa drops a Kev notice. The real headache isn’t just the RCE; it’s the chaining. Once you’ve got unauthenticated admin access, you’re not just looking at one box, you are now looking at lateral movement and full compromise.
“We often see orgs underestimate just how fast the turnaround is from a proof of concept hitting GitHub to active exploitation. If you’re not hitting this with proactive validation and simulation now, you’re already behind the curve. Patch now,” added Brinkley.
Widely-used product
SolarWinds Web Help Desk is a helpdesk and IT service management platform that runs ticketing, asset tracking, service level agreement (SLA) management and workflow automation for IT support teams. It is well in use at organisations of many different sizes, and previous flaws discovered in the product have been swiftly weaponised by threat actors in the past, so warnings over this latest set of vulnerabilities should be heeded.
Its addition to the Cisa catalogue indicates a potential high-level of exposure within the US federal government, and obliges all bodies in scope to complete their updates in a much shorter-than-usual timeline, by Friday 6 February in this case.
Dale Hoak, chief information security officer at RegScale, a Washington DC-area governance, risk and compliance (GRC) specialist said the short remediation window reflected the speed with which operational risk escalates when vulnerabilities move from theoretical to exploited.
“Many organisations still rely on periodic assessments, which struggle to keep pace with threats that evolve in days, not months,” said Hoak. “The limitation is not awareness of vulnerabilities, but the speed at which teams can validate exposure and enforce remediation. Continuous controls monitoring helps close this gap by turning patching and configuration changes into measurable, auditable actions. That shift is critical for maintaining resilience under real-world attack pressure.”
