Feb 3
/
Latest News
CISA Issues Urgent Warning Over Exploited SolarWinds Critical Flaw
WASHINGTON — Federal cybersecurity officials have issued an urgent directive to government agencies following the discovery of active exploits targeting a critical vulnerability in SolarWinds Web Help Desk software.
The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Today, signaling that hackers are already leveraging the bug to compromise systems. The vulnerability, which carries a near-perfect severity rating of 9.8, represents a significant risk to organizational data and network integrity as threat actors move with increasing speed to weaponize newly disclosed software weaknesses.
The security hole, identified as CVE-2025-40551, stems from a "deserialization of untrusted data" issue that allows attackers to execute remote commands on a host machine without requiring any login credentials. While SolarWinds released a patch for the flaw last week in version 2026.1, the inclusion of the bug in the KEV catalog indicates that the window for preventive patching is closing rapidly. CISA warned that the flaw provides a direct pathway for unauthorized users to gain full control over affected systems, though the agency has not yet disclosed specific details regarding the scale of the attacks or the identity of the perpetrators.
In addition to the SolarWinds alert, CISA expanded its "must-fix" list to include three other vulnerabilities being exploited in the wild. These include two flaws in Sangoma FreePBX—one allowing for password bypass and another for command injection—as well as a server-side request forgery (SSRF) bug in GitLab. The GitLab vulnerability was notably part of a broader trend of SSRF abuse identified by security researchers earlier this year, affecting a wide range of enterprise platforms. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are now under a strict deadline to remediate the SolarWinds flaw by February 6, 2026, while the remaining vulnerabilities must be addressed by February 24 to mitigate the risk of a significant federal data breach.
The Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on Today, signaling that hackers are already leveraging the bug to compromise systems. The vulnerability, which carries a near-perfect severity rating of 9.8, represents a significant risk to organizational data and network integrity as threat actors move with increasing speed to weaponize newly disclosed software weaknesses.
The security hole, identified as CVE-2025-40551, stems from a "deserialization of untrusted data" issue that allows attackers to execute remote commands on a host machine without requiring any login credentials. While SolarWinds released a patch for the flaw last week in version 2026.1, the inclusion of the bug in the KEV catalog indicates that the window for preventive patching is closing rapidly. CISA warned that the flaw provides a direct pathway for unauthorized users to gain full control over affected systems, though the agency has not yet disclosed specific details regarding the scale of the attacks or the identity of the perpetrators.
In addition to the SolarWinds alert, CISA expanded its "must-fix" list to include three other vulnerabilities being exploited in the wild. These include two flaws in Sangoma FreePBX—one allowing for password bypass and another for command injection—as well as a server-side request forgery (SSRF) bug in GitLab. The GitLab vulnerability was notably part of a broader trend of SSRF abuse identified by security researchers earlier this year, affecting a wide range of enterprise platforms. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies are now under a strict deadline to remediate the SolarWinds flaw by February 6, 2026, while the remaining vulnerabilities must be addressed by February 24 to mitigate the risk of a significant federal data breach.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.