In order to fix several security flaws affecting SolarWinds Web Help Desk, including four serious flaws that could lead to remote code execution (RCE) and authentication bypass, SolarWinds has released security updates This article explores vulnerabilities solarwinds web. .

The following vulnerabilities are listed: CVE-2025-40536 (CVSS score: 8.1) is a security control bypass vulnerability that could give an unauthorized attacker access to some restricted functionality. CVSS score: 7.5 for CVE-2025-40537 CVE-2025-40551 (CVSS score: 9.8) is a hard-coded credentials vulnerability that could grant access to administrative functions using the "client" user account. A vulnerability in untrusted data deserialization that could result in remote code execution, enabling an unauthorized attacker to execute commands on the host system CVSS score: 9.8 for CVE-2025-40552 A vulnerability in authentication that could enable an unauthorized attacker to carry out actions and procedures CVSS score: 9.8 for CVE-2025-40553 An unauthenticated attacker could be able to execute code remotely due to an untrusted data deserialization vulnerability.

to execute commands on the host computer CVE-2025-40554 (CVSS score: 9.8) is an authentication bypass vulnerability that might enable an attacker to trigger particular Web Help Desk actions. The first three vulnerabilities were identified and reported by Jimi Sebree of Horizon3.ai, while Piotr Bazydlo of watchTowr was recognized for the remaining three.

In WHD 2026, every problem has been resolved.1. According to Rapid7, "CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution." Because these vulnerabilities can be exploited without authentication, the impact of either of these two vulnerabilities is substantial.

RCE via deserialization is a very dependable vector for attackers to use.The cybersecurity firm added that although CVE-2025-40552 and CVE-2025-40554 have been characterized as authentication bypasses, they could also be used to obtain RCE and have the same impact as the other two RCE deserialization vulnerabilities.

A number of vulnerabilities in SolarWinds' Web Help Desk software have been fixed in recent years, including CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. Notably, CVE-2025-26399 deals with a patch bypass for CVE-2024-28988, which is a patch bypass for CVE-2024-28986. Late in 2024, the U.S.

Citing evidence of active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog. Sebree of Horizon3.ai explained CVE-2025-40551 as another deserialization flaw resulting from the AjaxProxy functionality that could lead to remote code execution.

An attacker must perform the following sequence of actions in order to accomplish RCE: Create a legitimate session and retrieve important data Make a component called LoginPref. Change the LoginPref component's state so that we can access the file upload. Create some malicious Java objects in the background using the JSONRPC bridge.

Activate these malicious Java objects. Customers must update to the most recent version of the help desk and IT service management platform as soon as possible because Web Help Desk vulnerabilities have been weaponized in the past.