CISA has warned SolarWinds Web Help Desk users that a remote code execution (RCE) vulnerability, patched by the vendor last week, is being actively exploited.
CVE-2025-40551 was added to CISA’s Known Exploited Vulnerabilities Catalog on Tuesday. Federal civilian agencies have to patch it until Friday.
It sounds very serious as the CVE has a CVSS score of 9.8 because it could allow unauthenticated adversaries to gain admin-level access to help-desk systems in low complexity attacks.
“SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication,” said CISA in its update.
What also hints at the seriousness of the situation is the three-day deadline mandated by the agency. SolarWinds, a popular IT ticketing software, is used across the US federal government, but private education and healthcare organizations also utilize it.
According to Dale Hoak, Chief Information Security Officer at RegScale, the short remediation window mandated by CISA reflects how operational risk escalates when vulnerabilities move from theoretical to actively exploited.
“Many organizations still rely on periodic assessments, which struggle to keep pace with threats that evolve in days, not months. The limitation is not awareness of vulnerabilities, but the speed at which teams can validate exposure and enforce remediation,” said Hoak.
“Continuous controls monitoring helps close this gap by turning patching and configuration changes into measurable, auditable actions. That shift is critical for maintaining resilience under real-world attack pressure.”
Joe Brinkley, head of threat research at Cobalt, additionally pointed out that this particular situation is a good example of why attackers don’t always need “zero-day” magic when they can just lean on reliable, low-complexity techniques like deserialization.
“These flaws get buried in trusted, boring platforms like help desks, and that’s exactly why they’re so dangerous. Risks like this are often overlooked until CISA drops a KEV notice,” said Brinkley.
“The real headache isn’t just the RCE; it’s the chaining. Once you've got unauthenticated admin access, you’re not just looking at one box, you are now looking at lateral movement and full compromise.”
Brinkley thinks organizations underestimate just how fast the turnaround is from a proof of concept hitting GitHub to active exploitation: “If you’re not hitting this with proactive validation and simulation now, you’re already behind the curve. Patch now.”
Cybersecurity experts say enterprises should follow the same CISA guidelines to minimize their attack surface, even though CISA’s KEV only applies to federal agencies.
Discovered by Jimi Sebree of Horizon3.ai, CVE-2025-40551 is one of four critical vulnerabilities found in SolarWinds Web Help Desk and fixed by the vendor in an update on January 28th. Needless to say, users and administrators of affected products are advised to update to the latest version immediately.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked