Security Intelligence
Loading table of contents...
Loading table of contents...
At a glance: CISA has confirmed active exploitation of a critical remote code execution vulnerability in SolarWinds Web Help Desk. CVE-2025-40551 allows unauthenticated attackers to execute code remotely via the AjaxProxy component. SolarWinds released Web Help Desk version 2026.1 in late January 2026 to address this issue alongside five additional vulnerabilities, four of which are rated critical.
Threat summary
On February 3, the Cybersecurity and Infrastructure Security Agency (CISA) added a remote code execution vulnerability in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog, noting active exploitation. No public attribution has been made regarding the threat actors involved.
A week prior, on January 28, SolarWinds released Web Help Desk version 2026.1, addressing six vulnerabilities. The patch includes four critical flaws, tracked as:
-
CVE-2025-40551
-
CVE-2025-40552
-
CVE-2025-40553
-
CVE-2025-40554
Each carries a Common Vulnerability Scoring System score of 9.8 and enables remote code execution under certain conditions.
CVE-2025-40552 and CVE-2025-40554 are described as authentication bypass vulnerabilities; CVE-2025-40551 and CVE-2025-40553 are due to untrusted data deserialization and could allow remote execution of code without authentication.
CVE‑2025‑40551 is the vulnerability confirmed as exploited in the wild. Reporting indicates that threat actors are leveraging the AjaxProxy component, consistent with techniques observed in earlier Web Help Desk exploitation activity.
Analysis & mitigation
The exploitation is low in complexity and can be performed remotely, requiring no valid credentials. This increases the risk for vulnerable instances, particularly those accessible from the internet. The worst-case scenario involves full system takeover, lateral movement, credential theft, and compromise of downstream systems integrated with Web Help Desk.
Web Help Desk’s role in managing service workflows and asset inventories makes it a valuable target for threat actors seeking operational access.
Organizations can reduce exposure by applying the Web Help Desk 2026.1 update across all deployments. Reviewing externally accessible instances, limiting network exposure, and validating that no unauthorized changes occurred prior to patching provide additional risk reduction.
Additional recommendations include enabling enhanced logging, reviewing suspicious AjaxProxy activity, and examining help desk workflows for signs of unauthorized access or privilege misuse.
Field Effect MDR users were alerted via ARO if vulnerable systems were detected in their environment.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
.jpg)