Listen to this Post

A newly discovered, high-severity flaw in SolarWinds’ Web Help Desk (WHD) platform is under active attack, according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This development comes just days after the software vendor released a patch, underscoring the urgency for organizations to update their systems immediately. The vulnerability, which enables remote code execution without authentication, highlights how even recently patched systems can remain dangerously exposed if organizations delay applying updates.
SolarWinds CVE-2025-40551: The Threat in Focus
The flaw, tracked as CVE-2025-40551, carries a critical CVSS score of 9.8 and impacts SolarWinds Web Help Desk, a widely used ticketing, service, and asset management platform. Security researchers describe the bug as an untrusted data deserialization issue, which can be triggered remotely without any authentication. The root cause lies in the platform’s AjaxProxy functionality, where improper request sanitization and the bypassing of blocklist protections leave the system vulnerable.
Interestingly, similar AjaxProxy vulnerabilities have been exploited in the past, signaling a recurring weakness that threat actors are now taking advantage of again. Last week, SolarWinds released WHD version 2026.1, which addressed this and five other vulnerabilities. However, the company did not initially report any active exploitation. That changed when CISA confirmed the flaw was being actively exploited in the wild, adding it to its Known Exploited Vulnerabilities (KEV) catalog and demanding federal agencies apply patches within three days.
Related Vulnerabilities in GitLab and Sangoma FreePBX
CISA’s KEV update didn’t stop with SolarWinds. A GitLab vulnerability (CVE-2021-39935) was included, a medium-severity bug that allows authenticated users to perform SSRF attacks through the CI Lint API. Though patched in December 2021, no exploitation reports surfaced until now.
Two additional flaws in Sangoma FreePBX, tracked as CVE-2019-19006 and CVE-2025-64328, were also highlighted. These vulnerabilities have been exploited previously: Check Point reported attacks on CVE-2019-19006 by the INJ3CTOR3 hacking group in 2020, and Fortinet noted active exploitation of CVE-2025-64328 since December. Federal agencies must address GitLab and Sangoma issues within three weeks per Binding Operational Directive 22-01.
What Undercode Says: The Bigger Picture
Recurrent Weaknesses in Popular Platforms
The recurrence of AjaxProxy vulnerabilities in SolarWinds demonstrates a troubling trend: enterprise software often carries legacy flaws that remain unaddressed, despite patches. Hackers exploit these repetitive weaknesses quickly, leaving organizations little time to react.
Urgency of Patch Management
The three-day mandate for SolarWinds patching is unusually tight, emphasizing the real-world risk of CVE-2025-40551. Organizations that delay updates—even by a week—can become immediate targets. In practical terms, this vulnerability is an “open door” for attackers to execute remote commands, compromise sensitive assets, and potentially move laterally within networks.
Supply Chain Risks Amplified
Given that SolarWinds’ software is widely integrated into enterprise IT environments, exploitation could cascade into broader supply chain attacks. Previous incidents, such as the infamous 2020 SolarWinds breach, illustrate how a single compromised vendor can expose multiple organizations.
Lessons from GitLab and FreePBX
The KEV updates remind IT teams that both old vulnerabilities and newly patched flaws are worth monitoring. Even medium-severity bugs, like the GitLab SSRF issue, can be weaponized if attackers find an opening. Sangoma FreePBX exploits show the persistent threat posed by previously abused vulnerabilities, emphasizing proactive scanning and patching.
Strategic Mitigation Approaches
Organizations should implement automated vulnerability scanning, enforce rapid patching policies, and consider network segmentation to isolate critical systems like WHD and FreePBX. Intrusion detection systems must be tuned to detect AjaxProxy anomalies and SSRF attempts. Training staff to recognize and report unusual system behavior adds a human layer of defense.
Long-Term Security Implications
This wave of active exploitation signals that attackers are increasingly targeting critical infrastructure software with known flaws. Companies should anticipate that even recently patched systems might be compromised and adopt continuous monitoring rather than reactive updates.
🔍 Fact Checker Results
✅ CVE-2025-40551 is actively exploited as confirmed by CISA.
✅ SolarWinds WHD version 2026.1 includes patches for this flaw.
❌ No confirmed exploitation of GitLab vulnerability prior to CISA listing.
📊 Prediction
Threat actors are likely to expand attacks leveraging SolarWinds and similar enterprise tools in 2026. Organizations delaying patches face high risk of ransomware or supply chain compromise. Automated detection and immediate patch deployment will be the frontline defense, while vendors must prioritize secure coding practices to prevent recurring deserialization flaws.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.securityweek.com
Extra Source Hub (Possible Sources for article):
https://www.discord.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon




