SolarWinds has released a security update that addresses multiple security vulnerabilities impacting the SolarWinds Web Help Desk, including four critical vulnerabilities that could lead to authentication bypass and remote code execution (RCE).
Here is the list of vulnerabilities:
CVE-2025-40536 (CVSS Score: 8.1) – Security control bypass vulnerability that allows unauthenticated attackers to access certain restricted functionality CVE-2025-40537 (CVSS Score: 7.5) – Hardcoded credentials vulnerability that allows access to administrative functions using the “Client” user account CVE-2025-40551 (CVSS Score: 9.8) – Untrusted data deserialization vulnerability that could lead to remote code execution. This could allow an unauthenticated attacker to execute commands on the host machine. CVE-2025-40552 (CVSS score: 9.8) – Authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions or methods. CVE-2025-40553 (CVSS score: 9.8) – Untrusted data deserialization vulnerability. This may lead to remote code execution, allowing an unauthenticated attacker to execute commands on the host machine. CVE-2025-40554 (CVSS score: 9.8) – Authentication bypass vulnerability. An attacker could potentially be able to invoke certain actions within the web help desk.
Jimi Sebree of Horizon3.ai is credited with discovering and reporting the first three vulnerabilities, while Piotr Bazydlo of watchTowr is credited with the remaining three flaws. All issues have been resolved in WHD 2026.1.
“CVE-2025-40551 and CVE-2025-40553 are both critical deserialization of untrusted data vulnerabilities that allow a remote, unauthenticated attacker to achieve RCE on a target system and execute payloads such as executing arbitrary OS commands,” Rapid7 said.
“The impact of either of these two vulnerabilities is significant because RCE with deserialization is a reliable vector available to attackers and these vulnerabilities can be exploited without authentication.”
Although CVE-2025-40552 and CVE-2025-40554 are described as authentication bypasses, they can also be used to obtain RCEs and have the same impact as the other two RCE deserialization vulnerabilities, the cybersecurity firm added.
In recent years, SolarWinds has released fixes that resolve several flaws in its web help desk software, including CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. Note that CVE-2025-26399 addresses a patch bypass for CVE-2024-28988, which is a patch bypass for CVE-2024-28986.
In late 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
In a post describing CVE-2025-40551, Sebree from Horizon3.ai described it as another deserialization vulnerability in the AjaxProxy functionality that could lead to remote code execution. To accomplish RCE, an attacker must perform the following sequence of actions:
Create a LoginPref component that establishes a valid session and extracts a key value Sets the state of the LoginPref component to allow access to file uploads Creates malicious Java objects in the background using the JSONRPC bridge Trigger these malicious Java objects
Web help desk flaws have been weaponized in the past, so it’s important that customers quickly update to the latest versions of their help desk and IT service management platforms.
Source link
