CISA warns of actively exploited SolarWinds RCE vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has identified a critical remote code execution (RCE) vulnerability in the SolarWinds Web Help Desk (WHD) software that is being actively exploited in actual attacks.

What happened

According to Bleeping Computer, CISA added the vulnerability, tracked as CVE-2025-40551, to its Known Exploited Vulnerabilities (KEV) Catalog, indicating that it is actively being exploited by cybercriminals. The agency has ordered Federal Civilian Executive Branch (FCEB) agencies to apply available patches within three days to comply with its Binding Operational Directive (BOD) 22-01.

On the same day, SolarWinds released patches for a high-severity hardcoded-credentials vulnerability (CVE-2025-40537) found by Jimi Sebree, along with two authentication-bypass security flaws (CVE-2025-40552 and CVE-2025-40554) identified by Piotr Bazydlo from watchTowr. All these vulnerabilities are remotely exploitable.

Going deeper

The flaw stems from a weakness in how the software handles untrusted data, a programming oversight that allows attackers to execute arbitrary commands remotely without needing to authenticate. The vulnerability, known as remote code execution (RCE), gives attackers the ability to fully compromise affected systems.

According to InfoSecurity Magazine, SolarWinds released an update on January 28. The updates include Web Help Desk version 2026.1, which addresses CVE-2025-40551 along with several other related security issues.

The vulnerability carries a CVSS score of 9.8, placing it in the critical severity range. Experts warn that such RCE vulnerabilities are especially dangerous because they can serve as an entry point for further compromise. Attackers could use it to:

• Move laterally within networks
• Deploy ransomware
• Steal sensitive data
• Take full control of affected systems

What was said

SolarWinds explained that the “SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution which would allow an attacker to run commands on the host machine.” They also noted that “WHD [Web Help Desk] has been updated with a modern underlying language and framework, improving performance, security, and maintainability.”

“At SolarWinds, we prioritize the swift resolution of CVEs to ensure the security and integrity of our software… SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability,” they said.

In the know

The Common Vulnerability Scoring System (CVSS) is a standardized scoring system that uses a score between 0 and 10 to indicate how critical a security vulnerability is. A high score like 9.8 means the vulnerability is critical, easy to exploit, and may result in major damage.

CVSS helps security teams quickly understand the urgency of fixing vulnerabilities by combining factors like how easily the flaw can be exploited and how much harm it can cause.

Go deeper: What is the Common Vulnerability Scoring System (CVSS)?

Why it matters

SolarWinds’ WHD software is widely used in government, enterprise, education, and healthcare environments to manage help desk workflows and IT requests. With SolarWinds claiming over 300,000 customers worldwide, many systems could be at risk if the vulnerability is left unpatched.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

What is remote code execution (RCE)?

RCE is a type of security flaw that allows attackers to run malicious code or commands on a victim’s computer or server from a remote location.

What could attackers do if they exploit this vulnerability?

They could steal sensitive information, install ransomware, manipulate or destroy data, and use the compromised system as a foothold to attack other network resources.

What tools can help detect exploitation attempts against this vulnerability?

Intrusion detection systems (IDS), endpoint protection platforms, and security information and event management (SIEM) solutions can help spot unusual activity linked to exploitation.