""SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine," CISA said. "This could be exploited without authentication." SolarWinds issued fixes for the flaw last week, along with CVE-2025-40536 (CVSS score: 8.1), CVE-2025-40537 (CVSS score: 7.5), CVE-2025-40552 (CVSS score: 9.8), CVE-2025-40553 (CVSS score: 9.8), and CVE-2025-40554 (CVSS score: 9.8), in WHD version 2026.1."
"Also added to the KEV catalog are three other vulnerabilities - CVE-2019-19006 (CVSS score: 9.8) - An improper authentication vulnerability in Sangoma FreePBX that potentially allows unauthorized users to bypass password authentication and access services provided by the FreePBX administrator CVE-2025-64328 (CVSS score: 8.6) - An operating system command injection vulnerability in Sangoma FreePBX that could allow for a post-authentication command injection by an authenticated known user via the testconnection -> check_ssh_connect() function and potentially obtain remote access to the system as an asterisk user"
CISA added CVE-2025-40551, a critical untrusted data deserialization vulnerability in SolarWinds Web Help Desk (CVSS 9.8), to its Known Exploited Vulnerabilities catalog and flagged it as actively exploited. The vulnerability can lead to remote code execution and allow an attacker to run commands on the host machine without authentication. SolarWinds released fixes in WHD version 2026.1 and patched several related CVEs. There are no public reports detailing how attackers are weaponizing the flaw, the targets, or the scale of exploitation. CISA also added multiple Sangoma FreePBX and a GitLab-related vulnerability to KEV.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]