Attackers are actively exploiting CVE-2025-40551, a critical (CVSS 9.8) untrusted deserialization vulnerability in SolarWinds Web Help Desk that allows unauthenticated remote code execution. The vulnerability allows a remote attacker to execute OS commands on the affected system. The flaw is fixed in Web Help Desk version 2026.1, released on January 28. Federal agencies have been given an expedited deadline to apply the patch.
Attackers are exploiting a critical SolarWinds Web Help Desk bug - less than a week after the vendor disclosed and fixed the 9.8-rated flaw. That's according to America's lead cyber-defense agency, which set a Friday deadline for federal agencies to patch the security flaw. The vulnerability under attack, CVE-2025-40551 , is an untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. SolarWinds fixed the security hole , along with five others, in Web Help Desk version 2026.1, released on January 28. Horizon3.ai and watchTowr researchers reported these six bugs to the software vendor, with Horizon3 warning that "these vulnerabilities are easily exploitable." While there weren't any known cases of in-the-wild exploitation at the time of disclosure, Rapid7 threat hunters said "we expect this to change as and when technical details become available." Plus, they pointed out, SolarWinds' Web Help Desk product has made two previous appearances , both times in 2024, in CISA's Known Exploited Vulnerabilities catalog, "indicating that it is a target for real-world attackers." Third time's the charm? SolarWinds (again) patches critical Web Help Desk RCE Critical hardcoded SolarWinds credential now exploited in the wild SolarWinds left critical hardcoded credentials in its Web Help Desk product Critical React Native Metro dev server bug under attack as researchers scream into the void These were CVE-2024-28987 , a critical, hardcoded login credential bug and CVE-2024-28986, a deserialization RCE vulnerability that was patched three times before the fix worked and attackers weren't able to bypass it. While we don't know who is attacking the latest Web Help Desk vulnerability, or what they are doing with the access to vulnerable machines, the abbreviated deadline for federal agencies to fix indicates a serious threat. Federal agencies are typically required to remediate known exploited vulnerabilities within 14 days of the bugs being added to the catalog . In urgent cases, however, CISA sets a shorter deadline, usually a week, but in this case of CVE-2025-40551 , it's just three days. SolarWinds did not immediately respond to The Register 's questions about the size and scope of exploitation. We will update this story if we receive a response. ® More about Cybercrime Cybersecurity and Infrastructure Security Agency Patch More like these More about More about Cybercrime Cybersecurity and Infrastructure Security Agency Patch More like these TIP US OFF Send us news