Overview
CISA has added CVE-2025-40551, a critical deserialization vulnerability in SolarWinds Web Help Desk, to its Known Exploited Vulnerabilities (KEV) Catalog. This vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems.
"The vulnerability contains a deserialization of untrusted data vulnerability that could lead to remote code execution, allowing an attacker to run commands on the host machine." — CISA Advisory
Vulnerability Details
| Attribute | Value |
|---|---|
| CVE ID | CVE-2025-40551 |
| Vendor | SolarWinds |
| Product | Web Help Desk |
| Vulnerability Type | Deserialization of Untrusted Data |
| CVSS Score | 9.8 (Critical) |
| Authentication | None Required |
| CISA Due Date | February 26, 2026 |
Technical Analysis
Attack Vector
The vulnerability exists in how Web Help Desk processes serialized Java objects:
- No Authentication Required - Attackers can exploit without valid credentials
- Remote Exploitation - Attack can be launched over the network
- Full System Compromise - Successful exploitation grants command execution
Exploitation in the Wild
Security researchers have observed:
- Targeted attacks against IT service management infrastructure
- Deployment of web shells for persistent access
- Lateral movement to connected systems
- Data exfiltration from helpdesk ticket databases
Affected Versions
| Version | Status |
|---|---|
| Web Help Desk < 12.8.5 | Vulnerable |
| Web Help Desk 12.8.5+ | Patched |
Immediate Actions
1. Check Your Version
# Check SolarWinds Web Help Desk version via API
$response = Invoke-WebRequest -Uri "https://your-whd-server/helpdesk/WebObjects/Helpdesk.woa/wa/VersionAction/version"
$response.Content2. Apply Patches Immediately
# Download and apply the latest hotfix from SolarWinds Customer Portal
# Ensure you have Web Help Desk 12.8.5 or later installed3. Network Segmentation
If immediate patching is not possible:
# Block external access to Web Help Desk
# Restrict access to internal trusted networks only
iptables -A INPUT -p tcp --dport 8443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP4. Monitor for Indicators of Compromise
Look for:
- Unexpected processes spawned by the WHD service
- Unusual outbound network connections
- New or modified files in WHD directories
- Authentication anomalies in logs
Detection Rules
Sigma Rule
title: SolarWinds Web Help Desk Exploitation Attempt
status: experimental
logsource:
category: webserver
detection:
selection:
cs-uri-stem|contains:
- '/helpdesk/WebObjects/'
- '/Helpdesk.woa/'
cs-method: 'POST'
condition: selection
level: highSnort Rule
alert tcp any any -> any 8443 (msg:"Potential SolarWinds WHD Exploitation";
content:"POST"; http_method;
content:"/helpdesk/WebObjects/"; http_uri;
classtype:attempted-admin; sid:1000001; rev:1;)Timeline
| Date | Event |
|---|---|
| January 2026 | Vulnerability discovered |
| January 28, 2026 | SolarWinds releases patch |
| February 3, 2026 | CISA adds to KEV |
| February 5, 2026 | Active exploitation confirmed |
| February 26, 2026 | FCEB remediation deadline |