Attackers are exploiting a critical SolarWinds Web Help Desk bug - less than a week after the vendor disclosed and fixed the 9.8-rated flaw. That's according to America's lead cyber-defense agency, which set a Friday deadline for federal agencies to patch the security flaw.

The vulnerability under attack, CVE-2025-40551, is an untrusted deserialization flaw that can lead to remote code execution, allowing a remote, unauthenticated attacker to execute OS commands on the affected system.

SolarWinds fixed the security hole, along with five others, in Web Help Desk version 2026.1, released on January 28. Horizon3.ai and watchTowr researchers reported these six bugs to the software vendor, with Horizon3 warning that "these vulnerabilities are easily exploitable."

While there weren't any known cases of in-the-wild exploitation at the time of disclosure, Rapid7 threat hunters said "we expect this to change as and when technical details become available."

Plus, they pointed out, SolarWinds' Web Help Desk product has made two previous appearances, both times in 2024, in CISA's Known Exploited Vulnerabilities catalog, "indicating that it is a target for real-world attackers."

• Third time's the charm? SolarWinds (again) patches critical Web Help Desk RCE
• Critical hardcoded SolarWinds credential now exploited in the wild
• SolarWinds left critical hardcoded credentials in its Web Help Desk product
• Critical React Native Metro dev server bug under attack as researchers scream into the void

These were CVE-2024-28987, a critical, hardcoded login credential bug and CVE-2024-28986, a deserialization RCE vulnerability that was patched three times before the fix worked and attackers weren't able to bypass it.

While we don't know who is attacking the latest Web Help Desk vulnerability, or what they are doing with the access to vulnerable machines, the abbreviated deadline for federal agencies to fix indicates a serious threat.

Federal agencies are typically required to remediate known exploited vulnerabilities within 14 days of the bugs being added to the catalog. In urgent cases, however, CISA sets a shorter deadline, usually a week, but in this case of CVE-2025-40551, it's just three days.

A SolarWinds spokesperson told The Register that the company is "aware of the reported issues," and recommended customers apply the updated, patched software "promptly."

"Based on our review, we have not observed widespread exploitation, and we are continuing to monitor the situation and partner with customers closely," the spokesperson said. ®