Threat actors were found exploiting a critical SolarWinds Web Help Desk bug, and this happened within a week after the vendor disclosed and fixed the 9.8-rated flaw. With a score so high and been been rated as serious and this can lead to unauthenticated adversaries gain admin-level access to help-desk systems in low complexity attacks.

The US Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its KEV catalogue.

The most severe of them is CVE-2025-40551, an untrusted data deserialisation vulnerability in SolarWinds Web Help Desk.

If Threat actors exploit these vulnerabilites, this could lead to remote code execution, allowing an unauthenticated attacker to run commands on a host device.

Last week Solar Winds released list of vulnerabilities identified by Jimi Sebree of Horizon3.ai, CVE-2025-40551 is one of four critical vulnerabilities found in SolarWinds Web Help Desk and fixed by the vendor in an update on January 28.

Security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE).

The list of vulnerabilities is as follows –

• CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality
• CVE-2025-40537 (CVSS score: 7.5) – A hard-coded credentials vulnerability that could allow access to administrative functions using the “client” user account
• CVE-2025-40551 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
• CVE-2025-40552 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods
• CVE-2025-40553 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
• CVE-2025-40554 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk

As per Rapid7, both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution.

RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.

CISA handed a three-day deadline and this proves at the seriousness of potential exploitation.

The popular IT ticketing software is used across government, but also in the private sector, especially in education and healthcare.

Conclusion:

Once threats actors gain complete control over their targets systems either ways over the edge, possibility of data theft and ransomware cannot be overlooked in the long run.

With continues monitoring is conducted over controls will help close major gaps as RCE via tokenization is a highly reliable attack vector for threat actors to leverage, as these vulnerabilities are exploitable without authentication.

Sources: SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass

Sources: Multiple Critical SolarWinds Web Help Desk Vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554