SolarWinds addressed four critical Web Help Desk flaws

SolarWinds patched six Web Help Desk vulnerabilities, including four critical flaws exploitable without authentication for RCE or auth bypass.

SolarWinds released security updates to address six Web Help Desk vulnerabilities, including four critical bugs that allow unauthenticated remote code execution or authentication bypass.

The three critical flaws found by watchTowr, and specifically by researcher Piotr Bazydlo, affect SolarWinds Web Help Desk and can be exploited without authentication, exposing affected systems to severe risk.

The first issue, tracked as CVE-2025-40552, is an authentication bypass vulnerability that allows a remote attacker to circumvent access controls and execute actions and methods that should only be available to authenticated users. Exploitation of this flaw could give an attacker broad control over the application.

The second vulnerability, CVE-2025-40553, is caused by the deserialization of untrusted data and can be exploited to achieve remote code execution. Because authentication is not required, an attacker could run arbitrary commands on the underlying host system, potentially leading to a full system compromise.

The third flaw, CVE-2025-40554, is another authentication bypass vulnerability that enables an attacker to invoke specific internal actions within Web Help Desk without proper authorization. While more targeted in scope, successful exploitation could still allow unauthorized access to sensitive functionality and be used as a stepping stone for further attacks.

The fourth critical flaw, tracked as CVE-2025-40551, was found by Jimi Sebree of Horizon3.ai and affects SolarWinds Web Help Desk through the deserialization of untrusted data. This vulnerability allows an unauthenticated attacker to achieve remote code execution, enabling the execution of arbitrary commands on the underlying host system and potentially leading to a complete compromise of the affected server. Due to its impact and lack of authentication requirements, the issue is rated critical (CVSS 9.8).

“We discovered a handful of security issues in Solarwinds Web Help Desk. These issues include…

• … an unauthenticated remote-code execution vulnerability via deserialization.
• … static credentials that allow limited access to authenticated functionality.
• … a security protection bypass regarding protected site actions.

These vulnerabilities are easily exploitable and enable unauthenticated attackers to achieve remote code execution on vulnerable Solarwinds Web Help Desk instances.” reads the advisory published by Horizon3. “Solarwinds has stated that these issues are patched in Web Help Desk version 2026.1, and we encourage all users to upgrade as soon as possible.“

All the critical flaws have a CVSS score of 9.8.

In addition to this critical issue, Horizon3.ai also identified two high-severity vulnerabilities. The first, CVE-2025-40536, is a security control bypass vulnerability that could allow an unauthenticated attacker to access certain restricted functionality within Web Help Desk. While more limited in scope than the critical flaws, successful exploitation could still expose sensitive features and weaken the application’s overall security posture.

The second high-severity issue, CVE-2025-40537, involves the presence of hardcoded credentials in SolarWinds Web Help Desk. Under specific conditions, this vulnerability could be exploited to gain access to administrative functions, significantly increasing the risk of privilege escalation and unauthorized system management.

Together, these findings underscore systemic weaknesses in authentication, authorization, and secure coding practices within SolarWinds Web Help Desk, particularly when combined with the previously disclosed critical vulnerabilities.

Web Help Desk version 2026.1 fixed all these six vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, SolarWinds)