WithSecure incident

Axios vulnerability in Policy Manager Webreporting

Notice Resolved View vendor source →

WithSecure experienced a notice incident on April 14, 2026 affecting Business Suite, lasting 1d 23h. The incident has been resolved; the full update timeline is below.

Started
Apr 14, 2026, 02:35 PM UTC
Resolved
Apr 16, 2026, 02:17 PM UTC
Duration
1d 23h
Detected by Pingoru
Apr 14, 2026, 02:35 PM UTC

Affected components

Business Suite

Update timeline

  1. investigating Apr 14, 2026, 02:35 PM UTC

    We have identified that WithSecure Policy Manager (PM) includes a version of the Axios library within the web reporting component that is currently flagged as vulnerable. Based on our assessment, the associated risk is low. As a precautionary measure, we recommend the following: Reviewing the current firewall and network configuration to ensure that the Policy Manager webreporting interface is not accessible from external networks Ensuring restricted access to this component significantly reduces any potential exposure. We are investigating on a fix for the issue.

  2. resolved Apr 16, 2026, 02:17 PM UTC

    We have created a hotfix for this issue. We advise all our Business Suite partners and customers to apply this hotfix at the earliest opportunity. The risk can further be mitigated by ensuring that Policy Manager’s Web Reporting interface is not accessible from the internet. This can be done with external firewall configurations. The hotfix can be downloaded from the WithSecure Download Center: https://support.withsecure.com/en/support/download For more information on the Axios vulnerability (CVE-2026-40175) and WithSecure's response, please visit https://community.withsecure.com/announcements-en/kb/articles/32898-cve-2026-40175-for-axios-javascript-library