"We have not yet confirmed whether the attacks are related to the most recent set of WHD vulnerabilities disclosed on January 28, 2026, such as CVE-2025-40551 and CVE-2025-40536 or stem from previously disclosed vulnerabilities like CVE-2025-26399. Since the attacks occurred in December 2025 and on machines vulnerable to both the old and new set of CVEs at the same time, we cannot reliably confirm the exact CVE used to gain an initial foothold."
"CVE-2025-40551 is a critical untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system. It earned a 9.8 CVSS rating, and about a week after the vendor issued a security advisory urging customers to patch the vulnerability, the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog and gave federal agencies just three days to patch the security hole."
Digital intruders exploited buggy SolarWinds Web Help Desk (WHD) instances in December to break into IT environments, move laterally, and steal high-privilege credentials. The specific vulnerability used for initial access remains unconfirmed because affected systems were vulnerable to both recent January 28, 2026 disclosures (CVE-2025-40551 and CVE-2025-40536) and previously disclosed flaws such as CVE-2025-26399. The investigation into the intrusions is ongoing and further analysis is expected. SolarWinds did not immediately respond to inquiries. CVE-2025-40551 is a critical untrusted deserialization RCE rated 9.8 and was added to CISA's Known Exploited Vulnerabilities catalog with a three-day patch directive for federal agencies. CVE-2025-40536 is a high-severity (8.1) security control bypass that has not yet appeared on CISA's exploited-bugs catalog.
#solarwinds-web-help-desk #cve-2025-40551 #untrusted-deserialization #credential-theft-and-lateral-movement
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]