SolarWinds has issued a critical security update for its Web Help Desk software, patching a total of six vulnerabilities, including four rated as critical. These flaws, discovered by security researchers from Horizon3.ai and watchTowr, could allow unauthenticated attackers to bypass security controls, escalate privileges, and execute arbitrary code on affected systems. The vulnerability disclosures highlight ongoing risks within widely used IT service management tools and the importance of timely patching.
The newly addressed vulnerabilities in SolarWinds Web Help Desk pose significant risks to organizations relying on the platform for IT support and asset management. The most severe issues, CVE-2025-40551, CVE-2025-40553, CVE-2025-40552, and CVE-2025-40554, all carry a CVSS score of 9.8, indicating a high probability of exploitation and severe impact. These findings underscore the persistent challenges in maintaining robust software security across critical business infrastructure.
Critical Vulnerabilities in SolarWinds Web Help Desk Require Urgent Action
The patch addresses a series of concerning security weaknesses. Jimi Sebree from Horizon3.ai is credited with discovering CVE-2025-40536, a security control bypass allowing unauthenticated access to restricted functions, and CVE-2025-40537, which leverages hard-coded credentials for administrative access. Piotr Bazydlo from watchTowr identified three critical vulnerabilities: CVE-2025-40551 and CVE-2025-40553, both described as untrusted data deserialization flaws leading to remote code execution (RCE), and CVE-2025-40554, an authentication bypass that could allow an attacker to invoke specific actions. An additional authentication bypass vulnerability, CVE-2025-40552, was also reported by watchTowr.
According to Rapid7, the deserialization vulnerabilities, CVE-2025-40551 and CVE-2025-40553, are particularly dangerous. These flaws allow remote, unauthenticated attackers to execute arbitrary operating system commands, effectively granting them full control over the compromised server. The company noted that RCE via deserialization is a highly reliable attack vector, and the lack of authentication required for exploitation significantly amplifies the potential impact.
Similarly, while CVE-2025-40552 and CVE-2025-40554 are classified as authentication bypass vulnerabilities, cybersecurity experts suggest they could also be weaponized to achieve RCE, leading to the same critical consequences as the deserialization flaws. This highlights a potential for multiple attack paths to compromise the Web Help Desk system.
The release of these patches follows a history of security issues within the SolarWinds Web Help Desk software. Previous vulnerabilities, including CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399, have been addressed in earlier updates. Notably, CVE-2025-26399 was a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986, indicating a persistent cat-and-mouse game between attackers and defenders concerning these specific flaws.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has previously placed CVE-2024-28986 and CVE-2024-28987 on its Known Exploited Vulnerabilities (KEV) catalog in late 2024, confirming that these vulnerabilities were actively being exploited in the wild. This historical context reinforces the urgency for organizations to apply the latest security updates.
Exploitation Vector for Deserialization Vulnerabilities
Horizon3.ai’s analysis of CVE-2025-40551 details a specific exploitation chain. The process involves establishing a valid session to extract key values, creating a ‘LoginPref’ component, and manipulating its state to enable file uploads. Subsequently, an attacker can use the JSONRPC bridge to instantiate malicious Java objects and trigger their execution, ultimately leading to remote code execution.
Given the past weaponization of vulnerabilities within Web Help Desk, it is imperative for all customers to promptly update their installations to the latest version, WHD 2026.1. This proactive measure is crucial to mitigate the risks associated with these critical security flaws and protect against potential cyberattacks targeting IT service management infrastructure.