The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution vulnerability in SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog. This designation signifies that the flaw is actively being exploited by threat actors, prompting urgent action from organizations to secure their systems.

Key Takeaways

• CISA has added CVE-2025-40551, a critical RCE vulnerability in SolarWinds Web Help Desk, to its KEV catalog.

• The vulnerability allows unauthenticated attackers to execute commands on the host machine.

• SolarWinds has released patches for this and other related vulnerabilities.

• Federal agencies are mandated to address this vulnerability by a specific deadline.

Critical Vulnerability Added to KEV Catalog

CISA's inclusion of CVE-2025-40551 in the KEV catalog highlights its immediate threat. This vulnerability, rated with a CVSS score of 9.8, is described as a deserialization of untrusted data that can lead to remote code execution. Crucially, it can be exploited without requiring any authentication, making it a prime target for attackers seeking to gain unauthorized access to sensitive systems.

SolarWinds' Response and Patching

SolarWinds has acknowledged the severity of the issue and has released fixes for CVE-2025-40551, along with several other vulnerabilities (CVE-2025-40536, CVE-2025-40537, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554) in Web Help Desk version 2026.1. The company urges customers to update their systems to the latest version as soon as possible to mitigate the risks associated with these flaws. Some reports indicate that multiple critical vulnerabilities, including authentication bypass flaws, could be chained with the RCE vulnerability to achieve complete system control.

Mandates for Federal Agencies

As per Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate CVE-2025-40551 by February 6, 2026. Other vulnerabilities added to the KEV catalog, including those affecting Sangoma FreePBX and GitLab, have a deadline of February 24, 2026. While these directives apply specifically to federal agencies, CISA strongly advises all organizations to prioritize patching these known exploited vulnerabilities to reduce their attack surface.

Broader Context of Exploitation

The rapid addition of this SolarWinds vulnerability to the KEV catalog underscores the speed at which threat actors are moving to exploit newly disclosed security flaws. While specific details about how CVE-2025-40551 is being weaponized, the targets, or the scale of these attacks are not yet publicly available, its presence in the KEV catalog serves as a clear warning to all users of SolarWinds Web Help Desk.

Sources

• CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog, The Hacker News.

• SolarWinds Web Help Desk Vulnerability Actively Exploited, Infosecurity Magazine.

• SolarWinds releases third patch to fix Web Help Desk RCE bug, BleepingComputer.

• SolarWinds Web Help Desk Vulnerability Exposes Sensitive Data Through Weak Cryptographic Key Management, Cyber Press.

• SolarWinds Web Help Desk flaw is now exploited in attacks, BleepingComputer.