🔴 CVE-2025-40551

Critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk via untrusted data deserialization. Actively exploited in the wild with no authentication required.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2026-01-28

Added to CISA KEV: 2026-02-03 6 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-02-03)

CVE-2025-40551 is a vulnerability affecting SolarWinds Web Help Desk that has been actively exploited in the wild [1][2].

Here's a breakdown of what is known about its exploitation:

  • Internet-Facing Applications/Services: While Web Help Desk is commonly deployed as an internal IT management system, successful exploitation can lead to significant impacts, including access to IT workflows, credentials, configuration data, and systems used for identity and access administration [1]. The vulnerability allows for remote code execution [2].
  • Evidence of Active Exploitation: The vulnerability is confirmed to be actively exploited [1].
  • Attack Vectors and Exploitation Methods: The vulnerability stems from the deserialization of untrusted data [2][3]. It is described as easily exploitable, enabling unauthenticated attackers to achieve remote code execution on vulnerable instances [2]. Attackers can reliably reach dangerous code paths without authentication [1].
  • Targeted Attacks: While the scope might be more targeted due to its nature as an internal IT management system, successful exploitation can be used as a stepping stone for further attacks [1][3].
  • CISA Known Exploited Vulnerabilities (KEV) Status: Information regarding CVE-2025-40551's specific inclusion in the CISA KEV catalog was not found in the provided search results. However, CISA does maintain a catalog of actively exploited vulnerabilities and encourages organizations to use it for vulnerability management prioritization [4][5]. CISA has added other vulnerabilities to its KEV catalog based on evidence of active exploitation [6][7].
  • Technical Details about Internet Exploitability: The vulnerability allows for unauthenticated remote code execution [2]. This means an attacker does not need any prior authentication to exploit this flaw. The exploit involves the deserialization of untrusted data, a common vulnerability class [2][3].
SolarWinds has stated that these issues are patched in Web Help Desk version 2026.1 [2].

Sources

  1. CVE-2025-40551: SolarWinds Web Help Desk RCE | Horizon3.ai

    Actively exploited.CVE-2025-40551 demonstrates that attackers can still reliably reach dangerous code paths without authentication, despite multiple remediation attempts. Because Web Help Desk is commonly deployed as an internal IT management system, compromise has an outsized impact. Successful exp…

  2. CVE-2025-40551: SolarWinds WHD RCE | Horizon3.ai

    CVE-2025-40551: Another Solarwinds Web Help Desk Deserialization Issue. January 28, 2026 | Attack Blogs, Attack Research.These vulnerabilities are easily exploitable and enable unauthenticated attackers to achieve remote code execution on vulnerable Solarwinds Web Help Desk instances. Solarwinds has…

  3. SolarWinds addressed four critical Web Help Desk flaws

    While more targeted in scope, successful exploitation could still allow unauthorized access to sensitive functionality and be used as a stepping stone for further attacks. The fourth critical flaw, tracked as CVE-2025-40551, was found by Jimi Sebree of Horizon3.ai and affects SolarWinds Web Help Des…

  4. Known Exploited Vulnerabilities Catalog

    For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild. Organizations should use the KEV catal…

  5. Reducing the Significant Risk of Known Exploited ...

    Learn about the importance of CISA's Known Exploited Vulnerability (KEV) catalog and how to use it to help build a collective resilience across the cybersecurity community.

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed