Cybersecurity experts are raising alarms over a critical vulnerability in SolarWinds Web Help Desk that has become a target for cybercriminals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has highlighted this issue, emphasizing the urgent need for immediate remediation.
Understanding the SolarWinds Vulnerability
Identified as CVE-2025-40551, the vulnerability carries a severe CVSS score of 9.8, marking it as a high-risk threat. This flaw impacts SolarWinds’ Web Help Desk, an asset management and ticketing solution often targeted by cyber attackers. The vulnerability arises from an untrusted data deserialization issue, which allows remote code execution without requiring authentication.
The vulnerability is linked to the AjaxProxy functionality, which suffers from improper request sanitization and a blocklist bypass. This is not the first time security flaws in AjaxProxy have been exploited in similar ways, raising concerns about recurring security lapses.
Recent Developments and Agency Actions
SolarWinds addressed this critical flaw with a new patch included in WHD version 2026.1 released last week, covering this and five other vulnerabilities. Despite this update, there was no initial indication that the vulnerability was being actively exploited until CISA added it to the Known Exploited Vulnerabilities (KEV) catalog.
CISA’s addition to the KEV catalog underscores the immediate threat, prompting federal agencies to apply the patch within three days. This urgency reflects the high potential risk and the need for swift action to protect sensitive systems from exploitation.
Additional Vulnerabilities and Security Alerts
In addition to the SolarWinds flaw, CISA has also recognized vulnerabilities in GitLab and Sangoma FreePBX. The GitLab vulnerability, CVE-2021-39935, presents a medium-severity threat allowing Server-Side Request Forgery (SSRF) attacks through the CI Lint API. Although patched in late 2021, it remains a concern for unpatched systems.
Sangoma FreePBX vulnerabilities, CVE-2019-19006 and CVE-2025-64328, have been exploited in previous attacks. Notably, the hacking group INJ3CTOR3 has been associated with exploiting these vulnerabilities, highlighting the persistent threat landscape.
Federal agencies are tasked with identifying vulnerable instances of GitLab and Sangoma FreePBX within three weeks as per Binding Operational Directive 22-01. This directive aims to ensure comprehensive protection across governmental networks.
As cybersecurity threats evolve, staying informed about vulnerabilities and applying timely patches remains crucial in safeguarding against potential exploits.
