top of page
Search

SolarWinds Addresses Critical Vulnerabilities in Web Help Desk

  • Jan 29
  • 1 min read

Key Findings


  • SolarWinds has released security updates to address six vulnerabilities in their Web Help Desk product, including four critical flaws.

  • The four critical vulnerabilities could be exploited without authentication to achieve remote code execution (RCE) or bypass authentication:

  • CVE-2025-40551 (CVSS 9.8) - Unauthenticated RCE via deserialization of untrusted data

  • CVE-2025-40552 (CVSS 9.8) - Authentication bypass to execute actions and methods

  • CVE-2025-40553 (CVSS 9.8) - Unauthenticated RCE via deserialization of untrusted data

  • CVE-2025-40554 (CVSS 9.8) - Authentication bypass to invoke specific actions


Background


  • The vulnerabilities were discovered and reported by researchers from watchTowr and Horizon3.ai.

  • In recent years, SolarWinds has released fixes for several other flaws in its Web Help Desk software, including ones that were actively exploited in the wild.

  • Due to the critical nature and lack of authentication requirements, the vulnerabilities pose a severe risk to affected systems if not patched promptly.


Impact


  • Successful exploitation of the RCE vulnerabilities (CVE-2025-40551 and CVE-2025-40553) could allow an unauthenticated attacker to execute arbitrary commands on the host system.

  • The authentication bypass flaws (CVE-2025-40552 and CVE-2025-40554) could give an attacker broad control over the application and access to sensitive functionality.

  • Together, these vulnerabilities highlight systemic weaknesses in authentication, authorization, and secure coding practices within SolarWinds Web Help Desk.


Recommended Actions


  • SolarWinds customers are urged to update to Web Help Desk version 2026.1 as soon as possible to address these critical vulnerabilities.

  • IT teams should closely monitor for any indicators of compromise and ensure all systems are properly patched and secured.

  • Organizations should review their vulnerability management and patch deployment processes to quickly address high-risk flaws in mission-critical applications.


Sources


  • https://securityaffairs.com/187470/security/solarwinds-addressed-four-critical-web-help-desk-flaws.html

  • https://thehackernews.com/2026/01/solarwinds-fixes-four-critical-web-help.html

  • https://www.securityweek.com/solarwinds-patches-critical-web-help-desk-vulnerabilities/amp/

  • https://www.ctrlaltnod.com/news/solarwinds-fixes-critical-web-help-desk-rce-flaws-under-attack/

  • https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/

Recent Posts

See All

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page