[00:00] Aaron Cole: This is Prime Cyber Insights.
[00:02] Aaron Cole: I'm Aaron Cole.
[00:03] Aaron Cole: Today's headline is pretty simple.
[00:05] Aaron Cole: Sissa just tagged a SolarWinds web help desk flaw as actively exploited.
[00:10] Aaron Cole: And yeah, it's the kind of bug you don't schedule for later.
[00:14] Lauren Mitchell: I'm Lauren Mitchell.
[00:16] Lauren Mitchell: We're going to walk through what CISA's KevListing means operationally,
[00:20] Lauren Mitchell: what to patch, what to look for after you patch,
[00:24] Lauren Mitchell: and why that window between disclosure and exploitation just keeps shrinking.
[00:28] Aaron Cole: Let's get specific.
[00:30] Aaron Cole: CISA added CVE 2025-40551 in SolarWinds Web Help Desk
[00:37] Aaron Cole: to the Known Exploited Vulnerabilities Catalog.
[00:39] Aaron Cole: It's a CVSS 9.8 issue, deserialization of untrusted data that can lead to remote code
[00:46] Aaron Cole: execution, and critically, it can be exploited without authentication.
[00:51] Aaron Cole: That combo, unauthenticated plus RCE, is a high-leverage initial access vector.
[00:56] Aaron Cole: Even without public details on who's weaponizing it or at what scale,
[01:00] Aaron Cole: actively exploited Issa is telling you this is happening in the real world, not just in theory.
[01:06] Aaron Cole: So, the immediate playbook is boring but urgent.
[01:10] Aaron Cole: First, find every Web Help Desk instance on-prem tucked into DMZs,
[01:15] Aaron Cole: or, you know, forgotten in a lab VLAN.
[01:18] Aaron Cole: Second, upgrade to WHD 2026.1.
[01:22] Aaron Cole: because SolarWinds shipped fixes not just for this CVE,
[01:26] Aaron Cole: but also a cluster of other high-severity ones
[01:29] Aaron Cole: released alongside it.
[01:31] Lauren Mitchell: And third,
[01:31] Lauren Mitchell: Treat patching as the start, not the finish.
[01:35] Lauren Mitchell: If exploitation is active, you need post-patch validation.
[01:39] Lauren Mitchell: Pull web server and application logs around suspicious requests,
[01:42] Lauren Mitchell: check for new processes spawned by the service account,
[01:45] Lauren Mitchell: and review any outbound connections from the WHD host
[01:49] Lauren Mitchell: that don't match normal ticketing behavior.
[01:52] Aaron Cole: CISA didn't stop with SolarWinds.
[01:54] Aaron Cole: They also added Sangoma-free PBX bugs, one that's essentially an improper authentication bypass
[02:00] Aaron Cole: and another OS-commanded Gection, and a GitLab SSRF that researchers previously flagged
[02:10] Aaron Cole: during coordinated SSRF scanning surges across multiple platforms.
[02:15] Lauren Mitchell: The pattern here matters.
[02:17] Lauren Mitchell: Attackers love externally reachable admin and workflow systems.
[02:20] Lauren Mitchell: Helpdesk, CICD, VoIP management, because compromise is both quiet and powerful.
[02:27] Lauren Mitchell: An SSRF and GitLab can become internal recon, metadata harvesting, or a pivot into internal services.
[02:34] Lauren Mitchell: Free PBX issues can mean call infrastructure exposure and a foothold into networks that treat telephony as not IT.
[02:42] Aaron Cole: Now, a defensive upgrade to pair with all of this.
[02:46] Aaron Cole: Microsoft is adding Sysmon functionality into Windows in insider dev and beta builds.
[02:51] Aaron Cole: Sysmon has long been a go-to for deeper endpoint telemetry,
[02:55] Aaron Cole: but at enterprise scale, packaging, deployment, and support have been a pain.
[03:00] Lauren Mitchell: Built-in Sysmon, disabled by default,
[03:03] Lauren Mitchell: could lower friction for collecting high-value events into the standard Windows event log,
[03:08] Lauren Mitchell: where SIEM and EDR tools can pick it up.
[03:11] Lauren Mitchell: The key operational notes?
[03:13] Lauren Mitchell: Enabling it requires PowerShell, and Microsoft says you'll need to uninstall any existing
[03:19] Lauren Mitchell: Sysmon before turning on the built-in version.
[03:21] Aaron Cole: NetNet, if you run SolarWinds Web Help Desk, treat CVE 2025-405-51 like a now problem.
[03:29] Aaron Cole: Inventory, patch to 2026.1, then hunt for signs of exploitation.
[03:34] Aaron Cole: And zooming out, Kev is your prioritization engine.
[03:38] Aaron Cole: If it's on the list, it belongs at the top of your change calendar.
[03:42] Michael Turner: And that's today's Prime Cyber Insights.
[03:44] Michael Turner: Subscribe for the daily rundown and for links and notes head to pci.neuralnewscast.com.
[03:51] Michael Turner: Neural Newscast is AI-assisted, human-reviewed.
[03:55] Michael Turner: View our AI transparency policy at neuralnewscast.com.