CISA orders federal agencies to patch exploited SolarWinds bug by Friday

Steven

CISA orders federal agencies to patch exploited SolarWinds bug by Friday

Summary

CISA has added CVE-2025-40551 — a critical deserialization vulnerability in SolarWinds Web Help Desk (WHD) — to its Known Exploited Vulnerabilities catalogue and ordered federal civilian agencies to patch it by Friday. The flaw carries a CVSS score of 9.8 and is being actively exploited. Horizon3.ai researcher Jimi Sebree discovered and disclosed the issue to SolarWinds; it traces back to earlier 2024 bypasses around CVE-2024-28986. SolarWinds released Web Help Desk version 2026.1, which fixes CVE-2025-40551 and several related bugs. CISA added this bug alongside three other vulnerabilities that agencies must remediate before the end of the month.

Key Points

  • CVE-2025-40551 is a critical (CVSS 9.8) deserialization bug in SolarWinds Web Help Desk (WHD).
  • CISA has mandated federal civilian agencies patch the vulnerability by Friday after reports of active exploitation.
  • Horizon3.ai researcher Jimi Sebree discovered the issue and reported it to SolarWinds on 5 December 2025.
  • SolarWinds released WHD version 2026.1 which contains the fix for CVE-2025-40551 and other recent vulnerabilities.
  • The bug is linked to a family of issues that bypassed prior fixes (notably CVE-2024-28986).
  • CISA added the vulnerability to its Known Exploited Vulnerabilities catalogue alongside three others that require remediation this month.

Context and Relevance

SolarWinds WHD is a widely used IT service management tool for ticketing, asset tracking and centralising IT support. A critical vulnerability in such a tool presents a serious supply-chain and operational risk: attackers who exploit WHD can gain footholds into organisations’ IT workflows and potentially pivot to other systems.

The CISA directive and the high CVSS score signal active exploitation and immediate risk — particularly for federal civilian agencies, but also for any organisation running WHD. This fits a broader trend of adversaries targeting IT management and supply-chain products to maximise access and persistence.

Why should I read this?

Short version: if you run SolarWinds Web Help Desk, patch now. CISA’s slapped an urgent deadline on this because attackers are already using the bug. The vendor has a fix in WHD 2026.1 — installing it removes a high-severity risk that could let attackers mess with your IT operations. If you’re responsible for security or infrastructure, this is one to action, not to skim.

Source

Source: https://therecord.media/cisa-orders-agencies-patch-solarwinds-vuln