The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SolarWinds Web Help Desk (WHD) vulnerability—CVE202540551—to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw carries a CVSS score of 9.8 and enables unauthenticated remote code execution (RCE) via deserialization of untrusted data. This vulnerability poses a severe risk to enterprises, government agencies, and critical infrastructure relying on SolarWinds WHD. 

Vulnerability Details: 

  • CVE ID: CVE202540551 
  • Severity: Critical (CVSS 9.8) 
  • Type: Deserialization of untrusted data (CWE502) 
  • Impact: Unauthenticated RCE enabling arbitrary command execution with WHD service privileges 
  • Affected Product: SolarWinds Web Help Desk (versions prior to 2026.1) 

The vulnerability resides in the AjaxProxy functionality, where improper request sanitization and bypass of blocklist validation allow an attacker to submit crafted objects for deserialization, resulting in code execution. Past defects in AjaxProxy have been exploited using similar methods. 

 

CISA mandates remediation by: 

  • February 6, 2026 for CVE202540551 

 

Active Exploitation: 

CISA confirmed active exploitation, though details about attacker profiles, targets, or campaign scale are not yet public. The addition to the KEV catalog indicates the presence of functional, in-the-wild exploits. 

Reports note that: 

  • No public proof-of-concept (PoC) currently available 
  • Discussions observed in criminal forums following disclosure 
  • Likely to be rapidly incorporated into broader threat campaigns 

Potential Impact: 

Successful exploitation may provide attackers: 

  • Full system compromise 
  • Ability to deploy malware or backdoors 
  • Lateral movement across internal networks 
  • Credential harvesting 
  • Access to ticketing, asset, and authentication-integrated infrastructure 

SolarWinds WHD is widely deployed across government, corporations, healthcare, and education, 

 

Additional Related Vulnerabilities: 

SolarWinds recently patched a group of severe flaws alongside CVE202540551: 

  • CVE202540552, CVE202540554: Authentication bypass 
  • CVE202540553: Another unauthenticated RCE via deserialization 

Attackers may chain these vulnerabilities to escalate privileges, maintain persistence, or execute more reliable RCE 

 

Recommendations: 

  • Apply SolarWinds WHD update to version 2026.1 (fully addresses CVE202540551 and related flaws). 

 

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

 

Contact Us