ACCORDING to CISA, the U.S. Cybersecurity and Infrastructure Security Agency, a critical flaw affecting SolarWinds Web Help Desk has been added to the Known Exploited Vulnerabilities catalog and flagged as actively exploited in attacks.
The vulnerability is tracked as CVE-2025-40551 (CVSS 9.8) and is a deserialization fault that could allow remote code execution, with the agency stating that it “could be exploited without authentication.” SolarWinds issued fixes for the flaw last week, alongside fixes for CVE-2025-40536, CVE-2025-40537, CVE-2025-40552, CVE-2025-40553 and CVE-2025-40554 in WHD version 2026.1.
There are currently no public reports detailing how the vulnerability is being weaponised, who might be targeted, or the scale of exploitation. In addition to the SolarWinds entry, the KEV catalog now includes three other vulnerabilities: CVE-2019-19006, CVE-2025-64328 and CVE-2021-39935. Agencies under the Federal Civilian Executive Branch are required to fix CVE-2025-40551 by 6 February 2026 and the others by 24 February 2026 under Binding Operational Directive 22-01.