Critical SolarWinds Web Help Desk Flaw Exploited; CISA Orders Rapid Patching

Security authorities and independent researchers have observed active exploitation of a critical remote code execution vulnerability in SolarWinds Web Help Desk (WHD). The flaw stems from untrusted data deserialization in the product’s AjaxProxy component and allows unauthenticated attackers to execute arbitrary code against affected instances. SolarWinds released WHD 2026.1 with fixes addressing this defect along with several other bugs, but telemetry showing live exploitation prompted CISA to add the SolarWinds issue to its Known Exploited Vulnerabilities (KEV) catalog and to require rapid remediation by federal agencies. The vulnerability’s high CVSS-style severity reflects both straightforward exploitability and potentially broad impact for ticketing and asset-management systems that are internet-reachable or insufficiently segmented. In the same KEV announcement window, CISA also drew attention to other actively abused or historically significant flaws across different ecosystems, underscoring a pattern in which legacy services and document- or proxy-related bugs are being weaponized quickly after disclosure. The KEV designation compresses timelines and forces organizations to re-prioritize operational work—sometimes moving these patches ahead of routine change windows. Vendors and researchers further flagged related issues: a GitLab SSRF that was included in guidance and two Sangoma FreePBX vulnerabilities, at least one of which has documented in-the-wild exploitation tied to financially motivated actors. For defenders, the immediate response should combine prompt installation of WHD 2026.1 updates, temporary network restrictions (e.g., ACLs, firewall rules, and blocking public access to management ports), and focused hunting for behaviors consistent with deserialization or proxy abuse. Detection work ought to include searching logs for anomalous AjaxProxy interactions, unusual process launches on WHD hosts, and lateral movement indicators that would follow a successful RCE. Longer-term mitigations include isolating administrative consoles from general networks, enforcing least-privilege access, and integrating patch verification into change control to avoid blind spots. The incident adds to a broader operational story where attackers rapidly convert exposed management tooling and legacy components into reliable entry points, increasing the urgency for organizations to combine vendor patches with compensating network and detection controls. Ultimately, the coordinated vendor fix and CISA enforcement give a clear remediation path, but the real risk is any window between exploitation and verified patching when adversaries can establish persistence or move into connected systems.