Over 170 SolarWinds Web Help Desk installations remain vulnerable to a critical remote code execution (RCE) flaw that has been actively exploited in the wild and recently added to CISA’s Known Exploited Vulnerabilities catalog.
The vulnerability, tracked as CVE-2025-40551, carries a CVSS score of 9.8 and allows unauthenticated attackers to execute arbitrary commands on affected systems through untrusted data deserialization.
The Shadowserver Foundation has been tracking and reporting vulnerable SolarWinds Help Desk installations through its Vulnerable HTTP reports, identifying approximately 170 exposed instances based on version checks. These publicly accessible installations represent critical targets for threat actors, as the vulnerability requires no authentication and can be exploited remotely over the network.
CVE-2025-40551 is an insecure deserialization vulnerability affecting SolarWinds Web Help Desk versions prior to 2026.1. The flaw exists in the AjaxProxy functionality and enables attackers to send specially crafted serialized Java objects to the application, which, when processed, execute arbitrary commands on the underlying host machine.
Researchers at Horizon3.ai discovered the vulnerability alongside several related security issues, including static credentials and security protection bypasses.
The vulnerability is particularly dangerous because it allows complete system compromise without any user interaction or prior authentication. Successful exploitation grants attackers full control over the confidentiality, integrity, and availability of the affected system, enabling them to execute commands with the privileges of the Web Help Desk service account.
CISA KEV Addition and Active Exploitation
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-40551 to its Known Exploited Vulnerabilities catalog on February 3, 2026, confirming active exploitation in the wild.
Under Binding Operational Directive 22-01, federal civilian executive branch agencies must remediate this vulnerability by February 6, 2026. The KEV designation signals elevated risk beyond federal environments and indicates that attackers are actively targeting this vulnerability.
BitSight assigned the vulnerability a Dynamic Vulnerability Exploit (DVE) score of 9.19, reflecting extreme technical severity with credible exploitation likelihood. The company noted that attackers continue to prioritize IT management and service desk platforms due to their privileged access, central operational role, and ability to facilitate follow-on compromise.
SolarWinds released version 2026.1 to address CVE-2025-40551 along with three related vulnerabilities: CVE-2025-40552 (authentication bypass), CVE-2025-40553 (deserialization RCE), and CVE-2025-40554 (authentication bypass).
All four vulnerabilities carry critical CVSS scores of 9.8 and enable various forms of unauthenticated access and code execution.
Organizations operating affected versions should apply the vendor-provided updates immediately, as the widespread use of SolarWinds Web Help Desk and confirmed active exploitation make these installations prime targets for threat actors.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
