CISA orders federal agencies to patch exploited SolarWinds bug by Friday

A vulnerability affecting a popular IT help desk tool from software company SolarWinds is being exploited by hackers, according to the U.S. cyber defense agency. 

Federal civilian agencies will have until Friday to patch CVE-2025-40551, a critical vulnerability reported by SolarWinds last week. The company said security researchers at Horizon3.ai discovered the vulnerability and reported it to them. 

CVE-2025-40551 carries a critical severity score of 9.8 out of 10 and impacts SolarWinds Web Help Desk (WHD) — an IT service management platform used by many large organizations to handle  ticketing, asset tracking and other tasks. The tool helps companies centralize IT support operations.

Horizon3.ai researcher Jimi Sebree published a blog about the bug that traced the issue back to another vulnerability discovered in 2024. That bug, CVE-2024-28986, was also added to these Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities list at the time. 

According to Sebree, CVE-2025-40551 is the latest in a series of bugs that are centered around bypasses of fixes to CVE-2024-28986. Sebree discovered and reported CVE-2025-40551 to SolarWinds on December 5. 

Solarwinds has published an update in Web Help Desk version 2026.1 that fixes the issues. The company fixed CVE-2025-40551 and several other security bugs that were recently discovered by researchers. 

CISA added CVE-2025-40551 to the Known Exploited Vulnerabilities catalog alongside three other vulnerabilities that federal civilian agencies will need to patch before the end of the month.