CVE-2025-40536 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-01-28

Added to CISA KEV: 2026-02-12 15 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Immediately check for indicators of compromise - active exploitation has been observed against SolarWinds Web Help Desk instances. Review access logs, check for unauthorized access, verify system integrity, and look for signs of lateral movement
URGENT: Upgrade to Web Help Desk version 2026.1 immediately to remediate the vulnerability
Implement network segmentation to limit potential lateral movement if compromise has occurred
Monitor Web Help Desk access logs for suspicious unauthenticated access attempts and unauthorized functionality usage
Consider temporarily restricting internet access to WHD instances until patching is complete if operationally feasible
PATCH PRIORITY: CRITICAL - This should be treated as an emergency patch due to active exploitation and high internet exposure

🔍 Web Intelligence (Kagi · 2026-02-12)

CVE-2025-40536 is a security control bypass vulnerability affecting SolarWinds Web Help Desk (WHD) ^[2]^[5]. This vulnerability allows an unauthenticated attacker to gain access to certain restricted functionality ^[2]^[5].

Here's a breakdown of what is known about its exploitation:

Internet-Facing Applications/Services: The vulnerability affects SolarWinds Web Help Desk instances, which are often internet-facing ^[1]^[3]. Threat actors have been observed exploiting these exposed instances to gain initial access and move laterally within networks ^[1]^[3].

Evidence of Active Exploitation: While specific confirmation linking CVE-2025-40536 to the most recent observed attacks is still under investigation by Microsoft ^[1], there is strong evidence that SolarWinds Web Help Desk instances are being actively exploited ^[1]^[3]. Microsoft has observed multi-stage intrusions where threat actors exploit these WHD instances ^[1]^[3].

Attack Vectors and Exploitation Methods: The vulnerability is a security control bypass ^[2]^[5] and does not require user interaction for exploitation ^[7]. It allows an unauthenticated attacker to access restricted functionality ^[2]^[5]. Microsoft is investigating whether this specific vulnerability, along with CVE-2025-40551, was used in recent attacks, or if older vulnerabilities like CVE-2025-26399 were exploited ^[1].

Use in Targeted Attacks: The observed intrusions involve threat actors exploiting internet-exposed WHD instances to gain initial access and then moving laterally to other high-value assets within an organization ^[1]^[3]. This suggests a targeted approach where attackers leverage the vulnerability to infiltrate networks.

CISA Known Exploited Vulnerabilities (KEV) Status: As of the latest information, CVE-2025-40536 has not been explicitly added to the CISA Known Exploited Vulnerabilities (KEV) Catalog ^[4]^[8]. However, CISA has added other SolarWinds Web Help Desk vulnerabilities to its KEV catalog, indicating active exploitation of this product line ^[6]^[9].

Technical Details about Internet Exploitability: The vulnerability allows an unauthenticated attacker to bypass security controls and access restricted functionality on internet-exposed SolarWinds Web Help Desk instances ^[2]^[5]. The CVSS score for CVE-2025-40536 is 8.1 ^[3]^[6]. No user interaction is required for exploitation ^[7].

Sources

Analysis of active exploitation of SolarWinds Web Help Desk
The Microsoft Defender Research Team observed a multi‑stage intrusion where threat actors exploited internet‑exposed SolarWinds Web Help Desk (WHD) instances to get an initial foothold and then laterally moved towards other high-value assets within the organization. However, we have not yet confirme…
CVE-2025-40536 Detail - NVD
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.Description. SolarWinds Web Help Desk was found to be susceptible to a security control bypass…
SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on ...
Microsoft has revealed that it observed a multi‑stage intrusion that involved the threat actors exploiting internet‑exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets. That said, the Microsoft Defe…
Known Exploited Vulnerabilities Catalog - CISA
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…
CVE-2025-40536: SolarWinds Web Help Desk Auth ...
CVE-2025-40536 is an authentication bypass vulnerability in SolarWinds Web Help Desk allowing unauthenticated attackers to access restricted ...

🔴 CVE-2025-40536

📋 Vulnerability Details

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-02-12)

Sources