Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk
SolarWinds released security updates for Web Help Desk (WHD) to address multiple critical vulnerabilities that could allow unauthenticated remote attackers to bypass authentication and achieve remote code execution (RCE). The patched issues include two critical authentication bypass flaws, CVE-2025-40552 and CVE-2025-40554 (reported by watchTowr researcher Piotr Bazydlo), and two critical RCE flaws tied to untrusted data deserialization, CVE-2025-40553 (Bazydlo) and CVE-2025-40551 (reported by Horizon3.ai researcher Jimi Sebree), enabling remote command execution without prior access.
SolarWinds also fixed a high-severity hardcoded credentials issue, CVE-2025-40537, which could enable unauthorized access to administrative functions under certain conditions. The vendor advised administrators to upgrade to Web Help Desk 2026.1 and patch quickly, noting WHD has a history of being targeted and previously had vulnerabilities flagged as actively exploited by CISA, reinforcing the likelihood of rapid attacker interest following disclosure and patch availability.
Timeline
Feb 5, 2026
More than 170 exposed WHD instances reported still vulnerable
Researchers reported that over 170 internet-exposed SolarWinds Web Help Desk installations remained vulnerable to CVE-2025-40551 after active exploitation was confirmed, highlighting continued exposure despite available patches.
Feb 3, 2026
CISA sets February 6 deadline for federal remediation
Following the KEV addition, CISA set an urgent remediation deadline of February 6, 2026 for affected federal agencies and urged immediate patching or isolation of exposed systems.
Feb 3, 2026
CISA adds CVE-2025-40551 to KEV as actively exploited
CISA flagged SolarWinds Web Help Desk CVE-2025-40551 as actively exploited in attacks, added it to the Known Exploited Vulnerabilities catalog, and ordered U.S. federal civilian agencies to remediate under BOD 22-01.
Jan 28, 2026
Rapid7 releases detection coverage for critical WHD CVEs
Rapid7 said remote vulnerability checks for the four critical SolarWinds Web Help Desk CVEs were included in its January 28 content release for certain security products.
Jan 28, 2026
Researchers publicly disclose technical details for WHD exploit chain
Horizon3.ai and watchTowr publicly detailed how multiple Web Help Desk weaknesses could be chained to achieve unauthenticated remote code execution, including AjaxProxy/JSON-RPC deserialization paths, request-filter bypasses, static credentials, and indicators of compromise.
Jan 28, 2026
SolarWinds publishes advisory and patches six WHD vulnerabilities
SolarWinds released Web Help Desk 2026.1 and published a security advisory addressing six vulnerabilities affecting versions 12.8.8 Hotfix 1 and earlier, including four critical flaws for unauthenticated RCE and authentication bypass plus two high-severity issues involving access control bypass and hardcoded credentials.
Jan 21, 2026
SolarWinds provides a preview release for WHD fixes
As part of remediation efforts, SolarWinds issued a preview release containing fixes ahead of public availability of the final patched version.
Dec 12, 2025
SolarWinds confirms the reported WHD vulnerabilities
SolarWinds acknowledged and confirmed the reported Web Help Desk vulnerabilities during the coordinated disclosure process.
Dec 5, 2025
Researchers report SolarWinds WHD flaws to PSIRT
Horizon3.ai disclosed vulnerabilities in SolarWinds Web Help Desk to SolarWinds PSIRT, beginning the coordinated disclosure process for what became CVE-2025-40551 and related issues.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
5 more from sources like scworld, security affairs, help net security, the hacker news and cyber security news
Related Stories
CISA Orders Patching of Exploited SolarWinds Web Help Desk RCE (CVE-2025-40551)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2025-40551**—a critical (CVSS 9.8) *SolarWinds Web Help Desk (WHD)* vulnerability—to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation. The flaw is described as **deserialization of untrusted data** that can enable **unauthenticated remote code execution**, potentially allowing full compromise of affected WHD servers; the issue was reported to SolarWinds by Horizon3.ai researcher **Jimi Sebree**. CISA also issued a directive requiring U.S. federal civilian agencies to patch CVE-2025-40551 by the stated deadline, and SolarWinds released a fix in *Web Help Desk* version **2026.1**. Reporting tied the bug to a prior WHD issue (**CVE-2024-28986**) and characterized CVE-2025-40551 as part of a sequence of vulnerabilities involving bypasses of earlier fixes; CISA’s KEV update also included additional exploited flaws in **Sangoma FreePBX** (including **CVE-2019-19006** and **CVE-2025-64328**) and **GitLab** (**CVE-2021-39935**, SSRF), expanding the set of vulnerabilities agencies must remediate under KEV timelines.
1 months ago
Active Exploitation of SolarWinds Web Help Desk Insecure Deserialization (CVE-2025-26399)
**CVE-2025-26399** is a **critical insecure deserialization** flaw (CWE-502) in *SolarWinds Web Help Desk* that enables **unauthenticated remote code execution/command execution** over the network. The issue resides in the product’s **`AjaxProxy`** component, where untrusted serialized data can be processed without sufficient validation, allowing an attacker to deliver a crafted payload that results in arbitrary command execution on the host running the help desk application. Multiple reports indicate the vulnerability is **actively exploited in the wild**, prompting **CISA** to add CVE-2025-26399 to the **Known Exploited Vulnerabilities (KEV)** catalog. NetSPI notes the flaw was disclosed in 2025 and is described as a **patch bypass** related to earlier issues (**CVE-2024-28988** and **CVE-2024-28986**), and recommends immediate remediation by upgrading to **SolarWinds Web Help Desk 12.8.7 Hotfix 1 or later**; if patching is delayed, organizations should restrict network exposure of the server and increase monitoring for suspicious process execution and outbound connections.
1 months ago
CISA Flags Actively Exploited SolarWinds Web Help Desk Flaw as Metasploit Adds Exploit Modules
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, including a critical **SolarWinds Web Help Desk (WHD)** security protection bypass tracked as `CVE-2025-40536` (CVSS 9.8). The issue stems from flawed CSRF-check logic that relies on a whitelist of query parameters, which can be bypassed with crafted URI parameters to reach restricted functionality without authentication; SolarWinds patched the flaw in *WHD 2026.1*. CISA set an accelerated remediation deadline for U.S. Federal Civilian Executive Branch agencies, and Microsoft separately reported an active campaign targeting SolarWinds WHD but did not confirm whether `CVE-2025-40536` was the specific vulnerability exploited. Rapid7 reported that **Metasploit added exploit module support for SolarWinds WHD vulnerabilities `CVE-2025-40536` and `CVE-2025-40551`**, enabling post-exploitation sessions running as `NT AUTHORITY\SYSTEM` when successful. This increases operational risk for unpatched environments by lowering the barrier to exploitation and reinforces the urgency of applying SolarWinds’ available fixes and validating exposure of WHD instances, particularly those reachable from untrusted networks.
1 months ago