CISA has added a SolarWinds Web Help Desk vulnerability to its Known Exploited Vulnerabilities catalog, confirming the bug is being used in real-world attacks. The flaw is rated critical and affects SolarWinds Web Help Desk, a ticketing and IT service management product used across enterprises and public-sector organizations.
The vulnerability makes exposed instances a high-priority patching target. SolarWinds has published an advisory and released fixes, and CISA has added the issue to KEV.
The KEV listing matters because it signals more than theoretical risk: CISA only adds vulnerabilities that have evidence of active exploitation. For federal civilian agencies, KEV inclusion usually triggers accelerated remediation deadlines. For everyone else, it is a strong indicator that exploit activity may already be spreading beyond targeted attacks into broader scanning and opportunistic compromise.
Organizations running Web Help Desk should apply SolarWinds’ fixes immediately, review whether any instances are internet-accessible, and investigate for signs of compromise before and after patching. Defenders should look for suspicious web requests, unexpected child processes spawned by the application, unfamiliar outbound connections, and possible persistence mechanisms such as web shells or scheduled tasks.
The risk is significant because help desk platforms often store support tickets, attachments, asset details, internal hostnames, and workflow data that can help attackers move deeper into a network. Even systems reachable only through a VPN or internal segment should not be treated as low-risk if they remain unpatched.
CISA’s action makes the priority clear: if Web Help Desk is in your environment, patch it and hunt for compromise now.
