SolarWinds RCE bug makes Cisa record as exploitation spreads
A vital vulnerability in SolarWinds’ Net Assist Desk service has been added to the US Cybersecurity and Infrastructure Safety Company’s (Cisa’s) Identified Exploited Vulnerabilities (Kev) catalogue as exploitation spreads within the wild.
CVE-2025-40551 was amongst six widespread vulnerabilities and exposures (CVEs) disclosed by SolarWinds in an advisory on the finish of January. It arises from Widespread Weak point Enumeration (CWE) 502 – deserialisation of untrusted information, and left unaddressed, allows an attacker to realize distant code execution (RCE) on the goal system.
The 5 different flaws listed in SolarWinds 28 January advisory are: CVE-2025-40552, an authentication bypass vulnerability; CVE-2025-40553, one other RCE flaw arising from deserialisation; CVE-2025-40554 a second authentication bypass; CVE-2025-40536, which allows attackers to bypass entry controls; and CVE-2025-40537, which can allow privilege elevation. All bear both excessive or vital Widespread Vulnerability Scoring System (CVSS) markers.
An replace from SolarWinds taking Net Assist Desk to model 2026.1 has since fastened all six points.
In his evaluation, researcher Jimi Sebree of Horizon3.ai, who found CVE-2025-40551 in early December, described it as “simply exploitable” and inspired customers to replace as quickly as doable, particularly since it may be exploited with out authentication.
“Attackers do not at all times want ‘zero-day’ magic after they can simply lean on dependable, low-complexity strategies like deserialisation. These flaws get buried in trusted, boring platforms like assist desks, and that is precisely why they’re so harmful,” stated Joe Brinkley, head of menace analysis at offensive safety specialist Cobalt.
“Dangers like this are sometimes ignored till Cisa drops a Kev discover. The actual headache is not simply the RCE; it is the chaining. As soon as you’ve got obtained unauthenticated admin entry, you’re not simply one field, you are actually lateral motion and full compromise.
“We frequently see orgs underestimate simply how briskly the turnaround is from a proof of idea hitting GitHub to energetic exploitation. In case you’re not hitting this with proactive validation and simulation now, you’re already behind the curve. Patch now,” added Brinkley.
Broadly-used product
SolarWinds Net Assist Desk is a helpdesk and IT service administration platform that runs ticketing, asset monitoring, service stage settlement (SLA) administration and workflow automation for IT help groups. It’s properly in use at organisations of many various sizes, and former flaws found within the product have been swiftly weaponised by menace actors up to now, so warnings over this newest set of vulnerabilities must be heeded.
Its addition to the Cisa catalogue signifies a possible high-level of publicity throughout the US federal authorities, and obliges all our bodies in scope to finish their updates in a a lot shorter-than-usual timeline, by Friday 6 February on this case.
Dale Hoak, chief data safety officer at RegScale, a Washington DC-area governance, danger and compliance (GRC) specialist stated the quick remediation window mirrored the pace with which operational danger escalates when vulnerabilities transfer from theoretical to exploited.
“Many organisations nonetheless depend on periodic assessments, which wrestle to maintain tempo with threats that evolve in days, not months,” stated Hoak. “The limitation isn’t consciousness of vulnerabilities, however the pace at which groups can validate publicity and implement remediation. Steady controls monitoring helps shut this hole by turning patching and configuration modifications into measurable, auditable actions. That shift is vital for sustaining resilience beneath real-world assault stress.”
