The CISA has added to its KEV catalog and is giving federal agencies till Friday to patch the actively exploited, critical security (9.8) flaw reported last week in SolarWinds’ Web Help Desk software.
The bug involves an untrusted data deserialization weakness that allows a remote, unauthenticated attacker to execute arbitrary code on affected systems.
Horizon3.ai researchers revealed that the recently identified SolarWinds vulnerability, tracked as CVE-2025-40551, stems from an earlier flaw uncovered in 2024 (CVE-2024-28986) and the new bug is part of an ongoing chain of issues caused by incomplete remediation of the original vulnerability, allowing attackers to bypass previous fixes.
In response to the discovery, SolarWinds has released updates in its Web Help Desk 2026.1 release that address this and several related vulnerabilities, including several with high severity ratings, some of which can also bypass authentication controls or allow similar impacts such as privilege escalation or arbitrary actions by unauthenticated users.
Vishal Agarwal, CEO, Averlon had this comment:
“What stands out is not one critical CVE, but a series of six caused by incomplete fixes of the same underlying weakness. This incident shows how easy it is to patch the reported bug without eliminating the root problem. Engineers are moving fast, working at scale, and are not security specialists. The answer isn’t more expertise. It’s better reasoning that helps teams fix the system, not just the CVE.”
Damon Small, Board of Directors, Xcape, Inc. follows with this comment:
“SolarWinds’ Web Help Desk has a critical remote code execution vulnerability (CVE-2025-40551) stemming from untrusted data deserialization, which is the same root cause as a flaw patched two years ago, discovered by the same researcher who found the original issue. CISA has added it to the Known Exploited Vulnerabilities catalog, confirming active exploitation and requiring immediate patching to version 2026.1.
“While this is the only confirmed exploit currently, the January 2026 patch also addressed three other critical vulnerabilities, including authentication bypasses, that could be chained together for full system compromise. Organizations must patch immediately to avoid becoming the next breach headline.
“When the same researcher finds the bypass to your two-year-old patch, that’s not a vulnerability; that’s a sequel nobody asked for.”
Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. adds this comment:
“These CVEs are quite serious and involve Remote Code Execution (RCE) attacks caused by authentication bypass or improper data deserialization. “Help Desk” software is an obvious target and an easy entry point into an enterprise network, enabling attackers to cause further damage. Security teams should patch these vulnerabilities right away.”
I truly thought that we were done with the dumpster fire that was SolarWinds. But I guess like the bad guy who dies at the end of the movie only to come back in the sequel, nothing of this sort truly goes away.
Related
This entry was posted on February 5, 2026 at 11:54 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
SolarWinds Appears To Be Back From The Dead
The CISA has added to its KEV catalog and is giving federal agencies till Friday to patch the actively exploited, critical security (9.8) flaw reported last week in SolarWinds’ Web Help Desk software.
The bug involves an untrusted data deserialization weakness that allows a remote, unauthenticated attacker to execute arbitrary code on affected systems.
Horizon3.ai researchers revealed that the recently identified SolarWinds vulnerability, tracked as CVE-2025-40551, stems from an earlier flaw uncovered in 2024 (CVE-2024-28986) and the new bug is part of an ongoing chain of issues caused by incomplete remediation of the original vulnerability, allowing attackers to bypass previous fixes.
In response to the discovery, SolarWinds has released updates in its Web Help Desk 2026.1 release that address this and several related vulnerabilities, including several with high severity ratings, some of which can also bypass authentication controls or allow similar impacts such as privilege escalation or arbitrary actions by unauthenticated users.
Vishal Agarwal, CEO, Averlon had this comment:
“What stands out is not one critical CVE, but a series of six caused by incomplete fixes of the same underlying weakness. This incident shows how easy it is to patch the reported bug without eliminating the root problem. Engineers are moving fast, working at scale, and are not security specialists. The answer isn’t more expertise. It’s better reasoning that helps teams fix the system, not just the CVE.”
Damon Small, Board of Directors, Xcape, Inc. follows with this comment:
“SolarWinds’ Web Help Desk has a critical remote code execution vulnerability (CVE-2025-40551) stemming from untrusted data deserialization, which is the same root cause as a flaw patched two years ago, discovered by the same researcher who found the original issue. CISA has added it to the Known Exploited Vulnerabilities catalog, confirming active exploitation and requiring immediate patching to version 2026.1.
“While this is the only confirmed exploit currently, the January 2026 patch also addressed three other critical vulnerabilities, including authentication bypasses, that could be chained together for full system compromise. Organizations must patch immediately to avoid becoming the next breach headline.
“When the same researcher finds the bypass to your two-year-old patch, that’s not a vulnerability; that’s a sequel nobody asked for.”
Lydia Zhang, President & Co-Founder,Ridge Security Technology Inc. adds this comment:
“These CVEs are quite serious and involve Remote Code Execution (RCE) attacks caused by authentication bypass or improper data deserialization. “Help Desk” software is an obvious target and an easy entry point into an enterprise network, enabling attackers to cause further damage. Security teams should patch these vulnerabilities right away.”
I truly thought that we were done with the dumpster fire that was SolarWinds. But I guess like the bad guy who dies at the end of the movie only to come back in the sequel, nothing of this sort truly goes away.
Share this:
Like this:
Related
This entry was posted on February 5, 2026 at 11:54 am and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.