CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog

Severity
Critical

Detail

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability affecting SolarWinds Web Help Desk (WHD) to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.

The vulnerability stems from a deserialization of untrusted data issue that allows attackers to execute arbitrary commands on affected systems. Successful exploitation may result in unauthenticated remote code execution (RCE), enabling attackers to gain full control of the targeted server.

SolarWinds has released security fixes addressing the vulnerability in WHD version 2026.1, alongside several additional critical vulnerabilities affecting the same product.

CISA has also added vulnerabilities affecting Sangoma FreePBX and GitLab Community and Enterprise Editions to the KEV catalog. However, the primary risk currently centers on the SolarWinds WHD vulnerabilities due to confirmed active exploitation.

Affected Version

Recommendation

Organizations are strongly advised to:

• Immediately upgrade SolarWinds Web Help Desk to version 2026.1 or later.
• Prioritize remediation as vulnerabilities listed in the CISA KEV catalog are confirmed to be actively exploited.
• Review WHD application and system logs for suspicious activity or unauthorized command execution.
• Restrict public or external access to WHD servers where possible.
• Implement network segmentation and least privilege access controls to limit lateral movement.
• Conduct vulnerability scanning to verify patch implementation.
• Monitor for abnormal authentication attempts and system modifications related to WHD services.

Source

https://thehackernews.com/2026/02/cisa-adds-actively-exploited-solarwinds.html
https://www.cve.org/CVERecord?id=CVE-2025-40551