Article Details

Critical SolarWinds Web Help Desk bug under attack. US agencies told to patch by Friday. Attackers are exploiting a critical SolarWinds Web Help Desk bug - less than a week after the vendor disclosed and fixed the 9.8-rated flaw. That's according to America's lead cyber-defense agency, which set a Friday deadline for federal agencies to patch the security flaw. The vulnerability under attack, CVE-2025-40551, is an untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. SolarWinds fixed the security hole, along with five others, in Web Help Desk version 2026.1, released on January 28. Horizon3.ai and watchTowr researchers reported these six bugs to the software vendor, with Horizon3 warning that "these vulnerabilities are easily exploitable." While there weren't any known cases of in-the-wild exploitation at the time of disclosure, Rapid7 threat hunters said "we expect this to change as and when technical details become available." Plus, they pointed out, SolarWinds' Web Help Desk product has made two previous appearances, both times in 2024, in CISA's Known Exploited Vulnerabilities catalog, "indicating that it is a target for real-world attackers." These were CVE-2024-28987, a critical, hardcoded login credential bug and CVE-2024-28986, a deserialization RCE vulnerability that was patched three times before the fix worked and attackers weren't able to bypass it. While we don't know who is attacking the latest Web Help Desk vulnerability, or what they are doing with the access to vulnerable machines, the abbreviated deadline for federal agencies to fix indicates a serious threat. Federal agencies are typically required to remediate known exploited vulnerabilities within 14 days of the bugs being added to the catalog. In urgent cases, however, CISA sets a shorter deadline, usually a week, but in this case of CVE-2025-40551, it's just three days. SolarWinds did not immediately respond to The Register's questions about the size and scope of exploitation. We will update this story if we receive a response.