SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE).
The list of vulnerabilities is as follows –
CVE-2025-40536 (CVSS score: 8.1) – A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality
CVE-2025-40537 (CVSS score: 7.5) – A hard-coded credentials vulnerability that could allow access to administrative functions using the “client” user account
CVE-2025-40551 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
CVE-2025-40552 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods
CVE-2025-40553 (CVSS score: 9.8) – An untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an unauthenticated attacker to run commands on the host machine
CVE-2025-40554 (CVSS score: 9.8) – An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk
While Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the first three vulnerabilities, watchTowr’s Piotr Bazydlo has been acknowledged for the remaining three flaws. All the issues have been addressed in WHD 2026.1.
“Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution,” Rapid7 said.
“RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.”
While CVE-2025-40552 and CVE-2025-40554 have been described as authentication bypasses, they could also be leveraged to obtain RCE and achieve the same impact as the other two RCE deserialization vulnerabilities, the cybersecurity company added.
In recent years, SolarWinds has released fixes to resolve several flaws in its Web Help Desk software, including CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. It’s worth noting that CVE-2025-26399 addresses a patch bypass for CVE-2024-28988, which, in turn, is a patch bypass of CVE-2024-28986.
In late 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
In a post explaining CVE-2025-40551, Horizon3.ai’s Sebree described it as yet another deserialization vulnerability stemming from the AjaxProxy functionality that could result in remote code execution. To achieve RCE, an attacker needs to carry out the following series of actions –
Establish a valid session and extract key values
Create a LoginPref component
Set the state of the LoginPref component to allow us to access the file upload
Use the JSONRPC bridge to create some malicious Java objects behind the scenes
Trigger these malicious Java objects
With flaws in Web Help Desk having been weaponized in the past, it’s essential that customers move quickly to update to the latest version of the help desk and IT service management platform.
📰 Original Source:TheHackerNews ✍️ Author: info@thehackernews.com (The Hacker News)
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Leave a Reply