A critical vulnerability (CVE-2025-40551) has been identified in SolarWinds Web Help Desk, a widely used IT service management platform deployed across enterprise and public sector environments to manage support tickets, assets, and internal workflows. Successful exploitation could allow an unauthenticated attacker to execute arbitrary commands on the underlying host system.
CVE-2025-40551 carries a CVSS score of 9.8 (Critical) and a Bitsight Dynamic Vulnerability Exploit (DVE) score of 6.16, reflecting extreme technical severity with a moderate but credible likelihood of exploitation. SolarWinds has released a fixed version and strongly recommends immediate patching.
CVE-2025-40551 was added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog on February 3, 2026, confirming that this vulnerability has been exploited in the wild. CISA requires remediation by February 6, 2026 in accordance with Binding Operational Directive 22-01. This designation applies to U.S. Federal Civilian Executive Branch (FCEB) agencies. This designation significantly increases the urgency for all organizations operating affected versions, as KEV inclusion signals active exploitation and elevated risk beyond federal environments.
CVE-2025-40551 overview
CVE-2025-40551 is an untrusted data deserialization vulnerability in SolarWinds Web Help Desk that can be exploited without authentication. An attacker may send specially crafted requests to trigger remote code execution (RCE), enabling them to run arbitrary commands with the privileges of the Web Help Desk service.
Affected versions include SolarWinds Web Help Desk 12.8.8 HF1 and all previous releases. The vulnerability is fully remediated in SolarWinds Web Help Desk version 2026.1. Internet-facing deployments and internally exposed systems with weak segmentation are at highest risk.
According to Bitsight Threat Intelligence
At the time of writing, no public GitHub proof-of-concept exploit has been observed. However, the inclusion of CVE-2025-40551 in CISA’s KEV Catalog confirms that functional exploits exist and have been used in real-world environments. Bitsight has also observed increased discussion of this vulnerability in underground communities following public disclosure.
CISA currently lists ransomware usage as unknown. While no ransomware or named APT groups have been publicly linked to CVE-2025-40551, unauthenticated remote code execution vulnerabilities are commonly leveraged as initial access vectors for follow-on attacks, including ransomware deployment and lateral movement.
CVE-2025-40551 technical overview
Vulnerability Type: Untrusted data deserialization leading to Remote Code Execution
Affected Product: SolarWinds Web Help Desk
Authentication Required: None
Potential Impact: Full system compromise, command execution, lateral movement
CVSS Score: 9.8 (Critical)
Dynamic Vulnerability Exploit (DVE) Score: 9.19
Related CWE: CWE-502
Why this matters
- Unauthenticated attackers can gain remote code execution
- CISA confirms active exploitation in the wild through KEV inclusion
- SolarWinds Web Help Desk often operates with elevated privileges and internal visibility
- Internet-exposed or poorly segmented environments face increased risk
- Successful exploitation could enable persistence, lateral movement, or data access
CVE-2025-40551 impact to organizations
Organizations running vulnerable versions of SolarWinds Web Help Desk may face:
- Unauthorized remote access to IT management infrastructure
- Execution of arbitrary commands and payload deployment
- Potential compromise of connected systems and internal networks
- Operational disruption and service downtime
- Regulatory and compliance risk due to KEV designation
- Delayed detection due to abuse of legitimate application functionality