Threat actors are actively exploiting a critical-severity vulnerability in SolarWinds Web Help Desk (WHD), according to a warning issued by the US Cybersecurity and Infrastructure Security Agency (CISA). The flaw, which could allow unauthenticated remote code execution (RCE), was patched by SolarWinds last week.
Tracked as CVE-2025-40551 and assigned a CVSS score of 9.8, the vulnerability affects SolarWinds Web Help Desk—a widely used ticketing, service, and asset management platform that has historically been a frequent target for cyberattacks.
The issue stems from an untrusted data deserialization flaw within the AjaxProxy functionality. Due to improper request sanitization and the bypass of a blocklist mechanism, attackers can exploit the vulnerability without authentication to execute arbitrary code on affected systems. Similar weaknesses in AjaxProxy have been abused in previous attacks.
SolarWinds addressed the issue in Web Help Desk version 2026.1, which also included fixes for five additional vulnerabilities. However, at the time of release, the company did not disclose whether any of the flaws were being actively exploited.
CISA has since confirmed in-the-wild exploitation by adding CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the severity of the risk. Federal agencies have been directed to apply patches within three days, highlighting the urgency of remediation.
Additional Vulnerabilities Added to CISA’s KEV List
Alongside the SolarWinds vulnerability, CISA also added one GitLab flaw and two Sangoma
FreePBX vulnerabilities to the KEV catalog.
- The GitLab issue, CVE-2021-39935, is a medium-severity flaw that allows authenticated attackers to launch server-side request forgery (SSRF) attacks via the CI Lint API. GitLab patched the vulnerability in December 2021.
- The Sangoma FreePBX vulnerabilities, CVE-2019-19006 and CVE-2025-64328, have both been previously exploited in real-world attacks. Security researchers have linked these exploits to the threat group INJ3CTOR3, with recent activity observed as late as December.
Under Binding Operational Directive (BOD) 22-01, US federal agencies have up to three weeks to identify vulnerable GitLab and Sangoma FreePBX instances and apply the necessary patches and mitigations.
What CIOs Should Do
Organizations using SolarWinds Web Help Desk are strongly advised to:
- Immediately upgrade to WHD version 2026.1 or later
- Review systems for signs of compromise
- Ensure vulnerability and patch management processes are up to date
Given SolarWinds’ widespread deployment across enterprise and public-sector environments, CIOs and CISOs should treat this vulnerability as a high-priority remediation item.