Overview
- Tracked as CVE-2025-40551 with a CVSS score of 9.8, the flaw allows unauthenticated remote code execution through deserialization of untrusted data.
- CISA added the issue to its Known Exploited Vulnerabilities catalog on Tuesday and set a February 6 deadline for federal remediation, while other newly added GitLab and Sangoma FreePBX flaws are due February 24.
- SolarWinds released Web Help Desk 2026.1 on January 28, addressing CVE-2025-40551 and five additional vulnerabilities reported by Jimi Sebree of Horizon3.ai and Piotr Bazydlo of watchTowr.
- Researchers and vendor notes highlight the bug in the AjaxProxy component, where improper request sanitization and a blocklist bypass enable exploitation similar to past WHD issues.
- Public reporting has not detailed targets or scale of attacks; SolarWinds says it has not observed widespread exploitation, but organizations are urged to update immediately due to WHD’s broad deployment.