CISA Orders Federal Agencies to Patch Exploited SolarWinds Bug by Friday

The U.S. cyber defense agency has reported that a vulnerability within SolarWinds’ widely used IT help desk software is currently being exploited by malicious actors.

Federal civilian agencies are required to apply a patch for CVE-2025-40551, a critical vulnerability, by Friday. SolarWinds disclosed this flaw last week, crediting security researchers at Horizon3.ai for its discovery and responsible disclosure.

This vulnerability, CVE-2025-40551, has a critical severity rating of 9.8 out of 10. It affects SolarWinds Web Help Desk (WHD), an IT service management platform widely adopted by large organizations for tasks such as ticketing and asset tracking, which aids in centralizing IT support.

Jimi Sebree, a researcher at Horizon3.ai, detailed the bug in a blog post, noting its connection to a 2024 vulnerability, CVE-2024-28986. That earlier flaw was also included in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities list.

Sebree indicated that CVE-2025-40551 represents the most recent in a sequence of vulnerabilities designed to bypass previous patches for CVE-2024-28986. The researcher reported CVE-2025-40551 to SolarWinds on December 5.

SolarWinds has released an update, Web Help Desk version 2026.1, to address these problems. This update resolves CVE-2025-40551 and additional security flaws recently identified by researchers.

CVE-2025-40551 has been included in CISA’s Known Exploited Vulnerabilities catalog. Federal civilian agencies must also patch three other vulnerabilities from this catalog by the end of the month.