The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical SolarWinds Web Help Desk (WHD) vulnerability—CVE‑2025‑40551—to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The flaw carries a CVSS score of 9.8 and enables unauthenticated remote code execution (RCE) via deserialization of untrusted data. This vulnerability poses a severe risk to enterprises, government agencies, and critical infrastructure relying on SolarWinds WHD.
The vulnerability resides in the AjaxProxy functionality, where improper request sanitization and bypass of blocklist validation allow an attacker to submit crafted objects for deserialization, resulting in code execution. Past defects in AjaxProxy have been exploited using similar methods.
CISA mandates remediation by:
CISA confirmed active exploitation, though details about attacker profiles, targets, or campaign scale are not yet public. The addition to the KEV catalog indicates the presence of functional, in-the-wild exploits.
Reports note that:
Successful exploitation may provide attackers:
SolarWinds WHD is widely deployed across government, corporations, healthcare, and education,
SolarWinds recently patched a group of severe flaws alongside CVE202540551:
Attackers may chain these vulnerabilities to escalate privileges, maintain persistence, or execute more reliable RCE
If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.