The US cybersecurity watchdog CISA warns of active abuse of a critical vulnerability in SolarWinds Web Help Desk. Government agencies in the United States have been given three days to install the security update. According to CISA, the flaw is now being used in real attacks.
The vulnerability in question is CVE-2025-40551 in SolarWinds Web Help Desk. The cause lies in an error in the processing of untrusted data, which allows an attacker to execute code remotely on a vulnerable system without logging in. The vulnerability was discovered by security researcher Jimi Sebree of Horizon3.ai.
On January 28, SolarWinds released a new version of Web Help Desk that fixes the problem. In the update notes, the company stated that the vulnerability could be exploited to allow an attacker to execute commands on the underlying server.
The same update contained additional security fixes. For example, an error with hard-coded login credentials was resolved, as were two vulnerabilities that allowed authentication to be bypassed. All of these issues could be exploited remotely.
On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) included the vulnerability in its list of actively exploited security vulnerabilities. This means that federal government agencies are required by Binding Operational Directive 22-01 to fix the problem within three days.
Previous problems with SolarWinds
Although this directive only applies to federal agencies, CISA is also calling on other organizations to patch quickly. In the past, vulnerabilities in Web Help Desk have been the target of attacks on several occasions. In 2024, for example, another bug involving hard-coded passwords was actively exploited, and in 2025, SolarWinds had to correct an earlier patch because attackers were able to bypass it.
Web Help Desk is widely used by governments, healthcare institutions, educational organizations, and large companies. SolarWinds states that more than 300,000 customers worldwide use its IT management solutions. This widespread use increases the potential impact when vulnerabilities are not addressed in a timely manner.
Also read: SolarWinds lawsuit dropped: CISOs can breathe a sigh of relief