SolarWinds WHD Flaw Added to CISA KEV Catalog Amid Active Exploitation

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical security flaw impacting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog and flagged it as actively exploited in attacks.

Specifically, the vulnerability—tracked as CVE-2025-40551 and carrying a CVSS score of 9.8—stems from an untrusted data deserialization issue that could pave the way for remote code execution.

“SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine,” CISA said. “This could be exploited without authentication.”

In response, SolarWinds issued fixes for the flaw last week. At the same time, the company addressed several additional vulnerabilities in WHD version 2026.1, including CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8).

However, there are currently no public reports detailing how attackers are weaponizing the vulnerability, who they may be targeting, or the overall scale of the exploitation. Even so, the incident underscores how quickly threat actors move to exploit newly disclosed flaws once they become public.

Additional Vulnerabilities Added to the KEV Catalog

At the same time, CISA added three other vulnerabilities to the KEV catalog:

• CVE-2019-19006 (CVSS score: 9.8) – An improper authentication vulnerability in Sangoma FreePBX that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX administrator
• CVE-2025-64328 (CVSS score: 8.6) – An operating system command injection vulnerability in Sangoma FreePBX that could allow for a Post-authentication command injection by an Authenticated known user via the testconnection -> check_ssh_connect() function and potentially obtain remote access to the system as an asterisk user
• CVE-2021-39935 (CVSS score: 7.5/6.8) – A Server-side request forgery (SSRF) Vulnerability in GitLab Community and Enterprise Editions that could allow Unauthorized external users to perform Server Side Requests via the CI Lint API

Notably, GreyNoise Highlighted the Exploitation of CVE-2021-39935 in March 2025 as part of a Coordinated surge in the abuse of SSRF Vulnerabilities. According to the report, Attackers targeted multiple platforms, including DotNetNuke, Zimbra Collaboration Suite, Broadcom VMware vCenter, ColumbiaSoft DocumentLocator, BerriAI LiteLLM, and Ivanti Connect Secure.

Under Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, Federal Civilian Executive Branch (FCEB) agencies must Remediate CVE-2025-40551 by February 6, 2026. Meanwhile, agencies must address the remaining Vulnerabilities by February 24, 2026.

Source; TheHackerNews

Read more at Impreza News