SolarWinds has issued security updates to fix multiple vulnerabilities affecting SolarWinds Web Help Desk (WHD), including four critical flaws that could enable unauthenticated attackers to bypass authentication and execute arbitrary code on affected systems.
The vulnerabilities pose a serious risk to organizations using the platform, as several of the issues can be exploited without valid credentials, potentially giving attackers full control over the underlying host.
List of Fixed Vulnerabilities
The following security issues have been addressed by SolarWinds:
- CVE-2025-40536 (CVSS 8.1)
A security control bypass flaw that may allow unauthenticated attackers to access restricted application functionality. - CVE-2025-40537 (CVSS 7.5)
A hard coded credentials issue that could permit access to administrative functions through the built in “client” user account. - CVE-2025-40551 (CVSS 9.8)
A deserialization of untrusted data vulnerability that can lead to unauthenticated remote code execution, allowing attackers to run operating system commands. - CVE-2025-40552 (CVSS 9.8)
An authentication bypass flaw enabling unauthenticated attackers to execute application actions and internal methods. - CVE-2025-40553 (CVSS 9.8)
Another untrusted deserialization issue resulting in unauthenticated remote code execution on the target system. - CVE-2025-40554 (CVSS 9.8)
An authentication bypass vulnerability that could allow attackers to invoke specific Web Help Desk actions.
The first three vulnerabilities were discovered and reported by Jimi Sebree of Horizon3.ai, while the remaining flaws were identified by Piotr Bazydlo from watchTowr. All issues have been resolved in SolarWinds Web Help Desk version 2026.1.
High Impact of Deserialization Vulnerabilities
According to Rapid7, both CVE-2025-40551 and CVE-2025-40553 are particularly dangerous due to their reliability and impact.
“Deserialization based RCE vulnerabilities are highly reliable for attackers, and when they can be exploited without authentication, the potential damage is severe,” Rapid7 stated.
The company also noted that the authentication bypass flaws, CVE-2025-40552 and CVE-2025-40554, could be chained to achieve remote code execution, resulting in an impact comparable to the critical deserialization vulnerabilities.
History of Exploitation in Web Help Desk
SolarWinds Web Help Desk has faced repeated security challenges in recent years. Previously patched vulnerabilities include CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399.
Notably, CVE-2025-26399 addressed a patch bypass for CVE-2024-28988, which itself bypassed protections for CVE-2024-28986. Due to confirmed exploitation in the wild, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog in late 2024.
Technical Details of the RCE Attack Chain
In a technical breakdown, Horizon3.ai explained that CVE-2025-40551 originates from insecure deserialization within the AjaxProxy functionality. Exploitation requires attackers to:
- Establish a valid session and extract required values
- Create a LoginPref component
- Modify its state to enable file upload access
- Use the JSON RPC bridge to construct malicious Java objects
- Trigger execution of the malicious objects to achieve RCE
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
