Active Exploitation of SolarWinds Web Help Desk Flaws Enables Remote Code Execution
SolarWinds warned that multiple vulnerabilities in Web Help Desk are being actively exploited, with reporting highlighting a critical flaw that can lead to remote code execution on exposed help-desk servers. Public references tie the activity to CVE-2025-40554, while additional SolarWinds advisories and third-party research point to related issues including CVE-2025-40552, CVE-2025-40553, and CVE-2025-40536, indicating a broader security problem affecting the product.
Security researchers and defenders published proof-of-concept material and detection guidance shortly after disclosure, including a watchTowr repository focused on Web Help Desk exploitation and a GitHub Gist describing uncommon process activity associated with compromise. The combination of vendor advisories, media reporting, and public exploit research indicates that attackers moved quickly to weaponize the flaws, increasing risk for organizations that have not patched, isolated, or monitored SolarWinds Web Help Desk deployments.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
SolarWinds publishes advisory for CVE-2025-40554
SolarWinds published a Trust Center security advisory for CVE-2025-40554. The reference explicitly anchors this advisory to January 1, 2026.
watchTowr publishes repository on SolarWinds Web Help Desk CVEs
watchTowr Labs published a GitHub repository focused on SolarWinds Web Help Desk vulnerabilities CVE-2025-40552 and CVE-2025-40553. This represents public release of additional technical material related to the flaws.
Detection content for SolarWinds Web Help Desk exploitation is published
A GitHub Gist titled "SolarWinds Web Help Desk Exploitation - Uncommon Process Activity" was published, indicating technical detection details related to the exploitation activity were made available.
Reports emerge of active exploitation of SolarWinds Web Help Desk flaw
News coverage reported that a critical vulnerability in SolarWinds Web Help Desk was being actively exploited. Multiple outlets covered the same development in early February 2026.
SolarWinds publishes advisory for CVE-2025-40536
SolarWinds published a Trust Center security advisory for CVE-2025-40536. This is the earliest explicitly dated event present in the references.
Sources
6 references tracked. Mallory keeps watching after this page renders.
GitHub - watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553 · GitHub
github.com
Open sourceSolarWinds Web Help Desk Exploitation - Uncommon Process Activity · GitHub
gist.github.com
Open sourceCritical flaw in SolarWinds Web Help Desk under exploitation | Cybersecurity Dive
cybersecuritydive.com
Open sourceSolarWinds Web Help Desk Vulnerability Actively Exploited - Infosecurity Magazine
infosecurity-magazine.com
Open sourceSolarWinds Trust Center Security Advisories | CVE-2025-40536 | SolarWinds
solarwinds.com
Open sourceSolarWinds Trust Center Security Advisories | CVE-2025-40554 | SolarWinds
solarwinds.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


