On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a critical security vulnerability affecting SolarWinds Web Help Desk (WHD) as actively exploited in attacks and added it to its Known Exploited Vulnerabilities (KEV) catalog. The untrusted data deserialization vulnerability, identified as CVE-2025-40551 (CVSS score: 9.8), may allow remote code execution. According to CISA, "SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine."

"This could be exploited without authentication." The vulnerability was fixed by SolarWinds last week in WHD version 2026.1, along with CVE-2025-400536 (CVSS score: 8.1), CVE-2025-400537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8). As of right now, there are no public reports regarding the scope of such efforts, who might be the targets, or how the vulnerability is being weaponized in attacks.

It's the most recent example of how swiftly threat actors are taking advantage of recently discovered vulnerabilities.

Three additional vulnerabilities have also been added to the KEV catalog, including CVE-2019-19006 (CVSS score: 9.8). A Sangoma vulnerability involving improper authentication CVE-2025-64328 (CVSS score: 8.6) is a FreePBX vulnerability that might enable unauthorized users to get around password authentication and access services offered by the FreePBX administrator. Sangoma has an operating system command injection vulnerability.

FreePBX that might enable remote access to the system as an asterisk user CVE-2021-39935 (CVSS score: 7.5/6.8) by allowing a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function GitLab Community and Enterprise Editions have a server-side request forgery (SSRF) vulnerability that could enable unauthorized external users to execute Server Side Requests through the CI Lint API. Notably, the exploitation of In March 2025, GreyNoise brought attention to CVE-2021-39935 as part of a coordinated increase in SSRF vulnerability abuse across several platforms, including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities mandates that agencies of the Federal Civilian Executive Branch (FCEB) address CVE-2025-40551 by February 6, 2026, and the remaining vulnerabilities by February 24, 2026.