Overview

On May 6, 2026, Palo Alto Networks published a security advisory for CVE-2026-0300, a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The vulnerability carries a CVSSv4 score of 9.3 and has been confirmed as exploited in the wild by the vendor.

CVE-2026-0300 is a buffer overflow (CWE-787) in the User-ID™ Authentication Portal (also known as Captive Portal), a non-default PAN-OS feature used to map IP addresses to usernames. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected firewall. No authentication or user interaction is required.

Palo Alto Networks has confirmed limited exploitation in the wild targeting Authentication Portals exposed to either untrusted IP addresses or the public internet. No patches are currently available; fixed versions are expected to begin rolling out on May 13, 2026, with additional releases through May 28, 2026.

PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. Shodan identifies approximately 225,000 internet-facing PAN-OS instances, representing a significant attack surface. Rapid7 strongly urges all organizations running affected PAN-OS versions with the User-ID Authentication Portal enabled to apply the available workarounds immediately and prioritize patching as soon as fixed versions become available.

Update #1: On May 6, 2026, CVE-2026-0300 was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation. Palo Alto Networks Unit 42 also published a threat brief attributing observed exploitation to CL-STA-1132, a likely state-sponsored threat cluster that deployed open-source tunneling tools and conducted Active Directory enumeration following initial compromise.

Mitigation guidance

Organizations running PA-Series and VM-Series firewalls with the User-ID™ Authentication Portal enabled should apply the available workarounds immediately and prioritize patching as soon as fixed versions are released. Check the official documentation to establish whether the affected User-ID™ Authentication Portal is currently enabled.

According to the Palo Alto Networks advisory, the following versions are affected by CVE-2026-0300:

Until patches are available, Palo Alto Networks recommends one of the following workarounds:

• Restrict User-ID™ Authentication Portal access to only trusted internal zones. Refer to Step 6 of the Live Community article and the Knowledgebase article for instructions on restricting access.

• Disable User-ID™ Authentication Portal entirely if it is not required (Device > User Identification > Authentication Portal Settings > uncheck Enable Authentication Portal).

Please refer to the vendor advisory for the latest guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-0300 with authenticated vulnerability checks available in the May 6th, 2026 content release.

Updates

• May 6, 2026: Initial publication.

• May 7, 2026: Updated overview to note the addition to CISA KEV and the Unit 42 threat brief attributing exploitation to CL-STA-1132.

Overview

On April 28, 2026, cPanel issued a security update to fix a critical vulnerability affecting the cPanel & WHM and WP Squared products. In the cPanel release notes, the bug was described as "an issue with session loading and saving." CVE-2026-41940, the identifier subsequently assigned on April 29, 2026, has a CVSS score of 9.8 and allows unauthenticated remote attackers to bypass authentication and gain unauthorized administrative access to the affected systems. First-party cPanel & WHM and WP Squared vendor advisories are available.

cPanel & WHM is web hosting control panel software used to manage websites and servers. WHM provides root-level administration, while cPanel acts as the user-facing interface. Successful exploitation of CVE-2026-41940 grants an attacker control over the cPanel host system, its configurations and databases, and websites it manages. A naive Shodan query for potential targets returns approximately 1.5 million cPanel instances exposed to the internet that may be vulnerable.

A managed cPanel host, KnownHost, stated that CVE-2026-41940 is actively being exploited in the wild, with speculation of targeted zero-day exploitation happening as early as February 23, 2026, prior to the vulnerability’s public disclosure. Security firm watchTowr has published a technical analysis and proof-of-concept exploit for CVE-2026-41940. As such, widespread exploitation in the wild is expected to be imminent.

Technical overview

Systems exposing the affected web service software are vulnerable by default.

As of April 29, 2026, a technical analysis and proof-of-concept exploit have been published by security firm watchTowr. CVE-2026-41940 is an authentication bypass caused by a Carriage Return Line Feed (CRLF) injection in the login and session loading processes of cPanel & WHM.

Before authentication occurs, `cpsrvd` (the cPanel service daemon) writes a new session file to the disk. The vulnerability allows an attacker to manipulate the `whostmgrsession` cookie by omitting an expected segment of the cookie value, avoiding the encryption process typically applied to an attacker-provided value. Attackers can inject raw `\r\n` characters via a malicious basic authorization header, and the system subsequently writes the session file without sanitizing the data. As a result, the attacker can insert arbitrary properties, such as `user=root`, into their session file. After triggering a reload of the session from the file, the attacker establishes administrator-level access for their token.

Mitigation guidance

Organizations running on-premise instances of cPanel & WHM or WP Squared should prioritize upgrading to a fixed version on an emergency basis. Some hosting providers have opted to temporarily institute workaround TCP port blocks for cPanel & WHM web services on ports 2083 and 2087. However, defenders are strongly advised to patch, rather than implement workarounds.

Affected Software:

The vendor states that all versions after 11.40 are affected, prior to the following available fixed versions.

• cPanel & WHM 11.86.0 versions prior to fixed version 11.86.0.41

• cPanel & WHM 11.110.0 versions prior to fixed version 11.110.0.97

• cPanel & WHM 11.118.0 versions prior to fixed version 11.118.0.63

• cPanel & WHM 11.126.0 versions prior to fixed version 11.126.0.54

• cPanel & WHM 11.130.0 versions prior to fixed version 11.130.0.19

• cPanel & WHM 11.132.0 versions prior to fixed version 11.132.0.29

• cPanel & WHM 11.134.0 versions prior to fixed version 11.134.0.20

• cPanel & WHM 11.136.0 versions prior to fixed version 11.136.0.5

• WP Squared versions prior to fixed version 136.1.7

Please read the vendor advisory for the latest guidance.

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-41940 with authenticated vulnerability checks available in the April 30, 2026 content release.

Updates

• April 29, 2026: Initial publication.
• April 30, 2026: Update mitigation guidance with additional fixed version numbers and change wording to reflect availability of vulnerability checks.

Overview

On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI. Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032, was reported in early March by Pluto Security researcher Yotam Perkal and subsequently patched on March 15, 2026. That same day, Pluto Security published a technical blog post with some vulnerability details.

CVE-2026-33032 is a missing authentication bug with a CVSS score of 9.8; as a result of missing authentication controls, an unauthenticated attacker who exploits CVE-2026-27944 to leak information can access a Model Context Protocol (MCP) server that can perform privileged operations on managed Nginx web servers. Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation results in full attacker control of the managed Nginx service. 

According to a Recorded Future report published on April 13, 2026, exploitation of CVE-2026-33032 in the wild has begun. A PurpleOps report published on April 16, 2026 associated exploitation of CVE-2026-33032 in the wild with the information leak vulnerability CVE-2026-27944, indicating that these two vulnerabilities are being exploited as a chain.

Mitigation guidance

Organizations running Nginx UI should prioritize updating on an urgent basis to remediate CVE-2026-33032. Additionally, to reduce exposure to future vulnerabilities affecting Nginx UI, defenders should ensure that network access to the Nginx UI management interface is strictly limited to those who must have it.

Affected versions:

According to the finder’s blog post, version 2.3.3 and prior are affected, and the fix is present in version 2.3.4 and later. However the official CVE record states that versions 2.3.5 and below are affected. The information leak vulnerability being exploited in the wild with CVE-2026-33032, CVE-2026-27944, was patched in version 2.3.3. This discrepancy in affected version numbers introduces confusion as to the correct version required to remediate CVE-2026-33032. To avoid this version number discrepancy, users are advised to update to the very latest version (2.3.6).

Please read the vendor advisory for the latest guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-33032 with unauthenticated checks available in the April 17 content release.

Updates

• April 16, 2026: Initial publication.

• April 17, 2026: Added additional details on exploitation workflow, vulnerable software versions, and product coverage.

Overview

On March 23, 2026, Citrix published a security advisory for a critical vulnerability affecting their NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway (formerly Citrix Gateway) products. This vulnerability, CVE-2026-3055, which is classified as an out-of-bounds read and holds a CVSS score of 9.3, allows unauthenticated remote attackers to leak potentially sensitive information from the appliance's memory.

The Citrix advisory states that systems configured as a SAML Identity Provider (SAML IDP) are vulnerable, whereas default configurations are unaffected. This SAML IDP configuration is likely a very common configuration for organizations utilizing single sign-on. Per the advisory, organizations can determine if they have an appliance configured as a SAML IDP Profile by inspecting their NetScaler Configuration for the specified string: add authentication samlIdPProfile .*

CVE-2026-3055 affects NetScaler ADC and NetScaler Gateway versions 14.1 before 14.1-66.59 and 13.1 before 13.1-62.23, as well as NetScaler ADC 13.1-FIPS and 13.1-NDcPP before 13.1-37.262. The advisory notes that only customer-managed instances are affected, not cloud instances managed by Citrix.

As of the advisory’s publication, there is no known in-the-wild exploitation and no public proof-of-concept (PoC) available. According to Citrix, the vulnerability was identified internally via security review. However, exploitation of CVE-2026-3055 is likely to occur once exploit code becomes public. Therefore, it is crucial that customers running affected Citrix systems remediate this vulnerability as soon as possible; Citrix software has previously seen memory leak vulnerabilities broadly exploited in the wild, including the infamous “CitrixBleed” vulnerability, CVE-2023-4966, in 2023.

Update #1: On March 29, 2026, a technical analysis of the vulnerability was published by watchTowr Labs. On March 30, 2026, CVE-2026-3055, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation. A Metasploit module for CVE-2026-3055 is available here.

Mitigation guidance

Organizations running affected on-premise instances of NetScaler ADC and NetScaler Gateway should prioritize upgrading to fixed versions on an emergency basis to remediate CVE-2026-3055.

• Affected components:

• NetScaler ADC and NetScaler Gateway versions 14.1, fixed in 14.1-66.59.

• NetScaler ADC and NetScaler Gateway versions 13.1, fixed in 13.1-62.23.

• NetScaler ADC 13.1-FIPS and 13.1-NDcPP, fixed in 13.1-37.262 (also referred to as 13.1.37.262 in the vendor advisory).

Please read the vendor advisory (CTX696300) for the latest guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-3055 on Citrix NetScaler ADC with an authenticated vulnerability check expected to be available in the March 26 content release.

Updates

• March 23, 2026: Initial publication.

• March 30, 2026: Updated customer content release date.
• March 31, 2026: Updated overview to note the availability of a technical analysis, addition to KEV, and Metasploit module.

Overview

On February 25, 2026, Cisco disclosed a critical authentication bypass vulnerability in Cisco Catalyst SD‑WAN Controller and Cisco Catalyst SD‑WAN Manager, tracked as CVE‑2026‑20127, that allows an unauthenticated attacker to gain administrative access to affected systems. The Cisco Catalyst SD-WAN Controller and Manager are core components of Cisco’s software-defined wide area networking (SD-WAN) architecture. The issue was originally identified and reported by Australian cybersecurity authorities, who observed real‑world attacks leveraging this flaw. 

Customers running these products must urgently upgrade to a fixed release to prevent further compromise. This vulnerability affects the following deployment types: 

• On-Prem Deployment

• Cisco Hosted SD-WAN Cloud

• Cisco Hosted SD-WAN Cloud - Cisco Managed

• Cisco Hosted SD-WAN Cloud - FedRAMP Environment

At the time of disclosure, Cisco Talos published a report that outlined how malicious actors in the wild leveraged CVE-2026-20127 to gain initial access, then downgraded the software version on the compromised system for post-exploitation activity. After the targeted system had been downgraded to an older vulnerable firmware release, the attackers exploited CVE-2022-20775 to escalate privileges and gain root access to the system. This exploitation in the wild led CISA to issue an emergency directive to Federal Civilian Executive Branch (FCEB) agencies requiring that patches be installed by 5:00PM ET February 27, 2026.

Mitigation guidance

At the time of the advisory’s publication, Cisco does not recommend any workaround strategies for remediation. Organizations running affected instances of Cisco Catalyst SD-WAN Controller or Cisco Catalyst SD-WAN Manager should prioritize upgrading to a fixed version, as outlined below, to remediate CVE-2026-20127.

• Affected Cisco Catalyst SD-WAN major version recommendations:

• 20.11 Release - upgrade to version 20.12.6.1 or above.

• 20.12.5 Release - upgrade to version 20.12.5.3 or above.

• 20.12.6 Release - upgrade to version 20.12.6.1 or above.

• 20.13 Release - upgrade to version 20.15.4.2 or above.

• 20.14 Release - upgrade to version 20.15.4.2 or above.

• 20.15 Release - upgrade to version 20.15.4.2 or above.

• 20.16 Release - upgrade to version 20.18.2.1 or above.

• 20.18 Release - upgrade to version 20.18.2.1 or above.

• 20.9 Release - upgrade to version 20.9.8.2 or above (Cisco estimates a patch availability date of February 27, 2026 for this release).

• Systems running release versions below 20.9 should be migrated to a newer major version with a fix available.

For the latest guidance, refer to the official vendor advisory.

Artifacts/Evidence Sources and IOCs

For any potentially compromised systems, Cisco recommends specific detection and forensic analysis steps to identify exploitation of CVE-2026-20127. According to Cisco, defenders should look for control connection peering events in Cisco Catalyst SD-WAN logs; Cisco states that all peering events will require manual validation to confirm if the events are valid or not, using the following steps:

• Verify the timestamp of each peering event against known maintenance windows, scheduled configuration changes, and normal operational hours for your environment.

• Confirm the public IP address corresponds to infrastructure owned or operated by your organization or authorized partners by cross-referencing against asset inventories and authorized IP ranges.

• Validate the peer system IP matches documented device assignments within your Cisco Catalyst SD-WAN topology.

• Review the peer type (vmanage, vsmart, vedge, vbond) to ensure it aligns with expected device roles in your deployment.

• Correlate multiple events from the same source IP or system IP to identify patterns of reconnaissance or persistent access attempts.

• Cross-reference event timing with authentication logs, change management records, and user activity to establish whether the connection was initiated by authorized personnel.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-20127 with an authenticated check available in the Feb 26 content release.

Updates

• February 25, 2026: Initial publication.

• February 26, 2026: Updated to reflect product content availability.

Overview

On February 6, 2026, BeyondTrust released security advisory BT26-02, disclosing a critical pre-authentication Remote Code Execution (RCE) vulnerability affecting its Remote Support (RS) and Privileged Remote Access (PRA) products. Assigned CVE-2026-1731 and a near-maximum CVSSv4 score of 9.9, the flaw allows unauthenticated, remote attackers to execute arbitrary operating system commands in the context of the site user by sending specially crafted requests. The vulnerability affects Remote Support (RS) versions 25.3.1 and prior, as well as Privileged Remote Access (PRA) versions 24.3.4 and prior. 

While BeyondTrust automatically patched SaaS instances on February 2, 2026, self-hosted customers remain at risk until manual updates are applied. The issue was discovered by researchers at Hacktron AI using AI-enabled variant analysis; they identified approximately 8,500 on-premises instances exposed to the internet that could be susceptible to this straightforward exploitation vector. 

While BeyondTrust has not reported active exploitation of CVE-2026-1731 in the wild, the platform’s immense footprint makes it a high-priority target for sophisticated adversaries. BeyondTrust provides identity security services to more than 20,000 customers across over 100 countries, including 75% of the Fortune 100. This ubiquity has attracted state-sponsored actors in the past; notably, the Chinese hacking group "Silk Typhoon" weaponized previous zero-day flaws (CVE-2024-12356 and CVE-2024-12686) to breach the U.S. Treasury Department and access sensitive data related to sanctions, triggering emergency directives from CISA. Rapid7 research later revealed that the exploitation of CVE-2024-12356 actually required chaining it with a critical, then-unknown SQL injection vulnerability in an underlying PostgreSQL tool (CVE-2025-1094). Given this history of targeted attacks against such a widely used platform, these tools remain a critical attack vector that demands immediate defensive action.

On February 10, 2026, Rapid7 Labs published a full technical analysis of the vulnerability.

On February 13, 2026, CVE-2026-1731, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Mitigation guidance

A vendor-provided patch is available to remediate CVE-2026-1731 in on-premise deployments.

BeyondTrust Remote Support (RS):

• Versions 25.3.1 and prior are affected by CVE-2026-1731.

• CVE-2026-1731 is fixed in 25.3.2 and later.

BeyondTrust Privileged Remote Access (PRA):

• Versions 24.3.4 and prior are affected by CVE-2026-1731.

• CVE-2026-1731 is fixed in 25.1.1 and later.

Please read the vendor advisory for the latest guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM and Nexpose customers can assess exposure to CVE-2026-1731 on Remote Support and Privileged Remote Access using authenticated checks available in the Feb 9 content release.

Updates

• February 11, 2026: Updated Rapid7 customers section to confirm checks were available on February 9.

• February 16, 2026: Updated the Overview to add a reference to the technical analysis and to note that CVE-2026-1731 was added to the CISA KEV list.

Overview

On January 29, 2026, Ivanti disclosed two new critical vulnerabilities affecting Endpoint Manager Mobile (EPMM): CVE-2026-1281 and CVE-2026-1340. The vendor has indicated that exploitation in the wild has already occurred prior to disclosure. This has been echoed by CISA who added CVE-2026-1281 to their Known Exploited Vulnerabilities (KEV) catalog shortly after the vendor disclosure. As an indication of how critical this development is, CISA has given a “due date” of only 3 days (Due Feb 1, 2026) for organizations, such as federal agencies, to remediate the vulnerabilities before the affected devices must be removed from a network.

While CVE-2026-1281 has been confirmed as exploited in the wild as a zero day, it is unclear if CVE-2026-1340 has also, or if this vulnerability was found separately to CVE-2026-1281. The two critical vulnerabilities are summarized below.

⠀

⠀

Both CVE-2026-1281 and CVE-2026-1340 are described identically by the vendor; they are code injection issues, allowing a remote unauthenticated attacker to execute arbitrary code on an affected device. Based on the vendor's guidance, the attackers can provide Bash commands as part of a malicious HTTP GET request to the endpoints that service either the “In-House Application Distribution” feature (i.e. /mifs/c/appstore/fob/) or the “Android File Transfer Configuration” feature (i.e. /mifs/c/aftstore/fob/), resulting in arbitrary OS command execution on the target. 

As EPMM is an endpoint management solution for mobile devices, the impact of an attacker compromising the EPMM server is significant. An attacker may be able to access Personally Identifiable Information (PII) regarding mobile device users, such as their names and email addresses, but also their mobile device information, such as their phone numbers, GPS information, and other sensitive unique identification information. This is in addition to the privileged position an attacker will have on the EPMM device itself, which may allow for lateral movement within the compromised network.
Given the nature of the product, EPMM is a high-profile target. It has been repeatedly targeted by zero-day vulnerabilities in the past. In 2023 the product was exploited in the wild via CVE-2023-35078, and again in 2025 via an exploit chain of CVE-2025-4427 and CVE-2025-4428. As of January 30, 2026, a public working proof-of-concept exploit for remote code execution is available. Organizations running EPMM are urged to act quickly and follow the vendor guidance to remediate these issues.

Threat hunting 

The following vendor supplied regular expression can be used to search the HTTP daemon’s log files for evidence of potential exploitation of CVE-2026-1281 and CVE-2026-1340:⠀

^(?!127\.0\.0\.1:\d+ .*$).*?\/mifs\/c\/(aft|app)store\/fob\/.*?404

Mitigation guidance

A vendor supplied update is available to remediate both vulnerabilities.

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.0.x patch:

• Versions 12.7.0.0 and below

• Versions 12.6.0.0 and below

• Versions 12.5.0.0 and below

The following affected versions of Ivanti EPMM are remediated via the RPM 12.x.1.x patch:

• Versions 12.6.1.0 and below

• Versions 12.5.1.0 and below

Customers are advised to update to the latest remediated version of EPMM, on an emergency basis outside of normal patching cycles, as exploitation in-the-wild is already occurring.

For the latest mitigation guidance for Ivanti EPMM, please refer to the vendor’s security advisory. In addition to remediation, the vendor has provided additional threat hunting guidance.

Rapid7 customers

Exposure Command, InsightVM, and Nexpose

Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-1281 and CVE-2026-1340 with authenticated vulnerability checks expected to be available in today's (Jan 30) content release. Note that the "Potential" category must be enabled in the scan template to run the checks.

Updates

• January 30, 2026: Added reference to the watchTowr technical analysis and proof-of-concept exploit.

Overview

On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication. 

As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers.

The six vulnerabilities are summarized below.

Update #1: On February 3, 2026, the unsafe deserialization vulnerability, CVE-2025-40551, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Update #2: On February 12, 2026, the access control bypass vulnerability, CVE-2025-40536, was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation.

Technical overview

Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution. RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.

The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses that allow a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. Based upon the vendor supplied CVSS scores for these two authentication bypass vulnerabilities, the impact is equivalent to the two RCE deserialization vulnerabilities, likely meaning they can also be leveraged for RCE.

In addition to the four critical vulnerabilities, two high severity vulnerabilities were also disclosed. CVE-2025-40536 is an access control bypass vulnerability, allowing an attacker to access functionality on the target system that is intended to be restricted to authenticated users. Separately, CVE-2025-40537 may, under certain conditions, allow access to some administrative functionality on the target system due to the existence of hardcoded credentials. 

A full technical analysis of CVE-2025-40551, CVE-2025-40536, and CVE-2025-40537 has been published by the original finders, Horizon3.ai.

Mitigation guidance

A vendor supplied update is available to remediate all six vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554, CVE-2025-40536, and CVE-2025-40537. The following product versions are affected:

• SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below.

Customers are advised to update to the latest Web Help Desk version, 2026.1, on an urgent basis outside of normal patching cycles.

For the latest mitigation guidance for SolarWinds Web Help Desk, please refer to the vendor’s security advisory.

Rapid7 customers

Exposure Command, InsightVM and Nexpose customers can assess their exposure to CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 CVE-2025-40554 with remote vulnerability checks available in the Jan 28 content release.

Updates

• January 28, 2026: Added reference to the Horizon3.ai technical analysis.
• January 29, 2026: Updated coverage information
• February 3, 2026: Updated Overview to add a reference to CVE-2025-40551 being added to the CISA KEV list.
• February 13, 2026: Updated Overview to add a reference to CVE-2025-40536 being added to the CISA KEV list.