SolarWinds Releases Critical Security Updates for Web Help Desk to Address Remote Code Execution and Authentication Bypass Vulnerabilities
SolarWinds has recently issued a series of security updates targeting multiple vulnerabilities within its Web Help Desk (WHD) software. Among these, four critical flaws have been identified that could potentially allow unauthorized access and remote code execution (RCE) on affected systems.
Detailed Overview of the Vulnerabilities:
1. CVE-2025-40536 (CVSS Score: 8.1): This vulnerability involves a security control bypass, enabling an unauthenticated attacker to access certain restricted functionalities within the WHD system.
2. CVE-2025-40537 (CVSS Score: 7.5): A hard-coded credentials issue has been discovered, which could permit access to administrative functions through the client user account.
3. CVE-2025-40551 (CVSS Score: 9.8): This critical flaw pertains to the deserialization of untrusted data, potentially leading to remote code execution. An unauthenticated attacker could exploit this to execute arbitrary commands on the host machine.
4. CVE-2025-40552 (CVSS Score: 9.8): An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods within the WHD system.
5. CVE-2025-40553 (CVSS Score: 9.8): Similar to CVE-2025-40551, this involves deserialization of untrusted data, leading to potential remote code execution by unauthenticated attackers.
6. CVE-2025-40554 (CVSS Score: 9.8): Another authentication bypass issue, enabling attackers to invoke specific actions within the Web Help Desk.
Contributors to the Discovery:
The first three vulnerabilities were identified and reported by Jimi Sebree from Horizon3.ai, while the latter three were credited to Piotr Bazydlo of watchTowr. SolarWinds has addressed all these issues in the WHD 2026.1 release.
Insights from Security Experts:
Rapid7, a cybersecurity firm, emphasized the severity of the deserialization vulnerabilities (CVE-2025-40551 and CVE-2025-40553), noting that they allow remote unauthenticated attackers to achieve RCE on target systems. They highlighted that RCE via deserialization is a highly reliable vector for attackers, and given the lack of authentication required, the impact is significant.
Furthermore, while CVE-2025-40552 and CVE-2025-40554 are categorized as authentication bypasses, they could also be exploited to achieve remote code execution, similar to the deserialization vulnerabilities.
Historical Context:
SolarWinds has previously addressed several vulnerabilities in its Web Help Desk software, including CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. Notably, CVE-2025-26399 was a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. In late 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Technical Breakdown of CVE-2025-40551:
Horizon3.ai’s Sebree provided a detailed explanation of CVE-2025-40551, describing it as another deserialization vulnerability stemming from the AjaxProxy functionality. To exploit this for remote code execution, an attacker would need to:
– Establish a valid session and extract key values.
– Create a LoginPref component.
– Set the state of the LoginPref component to access the file upload feature.
– Use the JSONRPC bridge to create malicious Java objects behind the scenes.
– Trigger these malicious Java objects to execute the attack.
Recommendations for Users:
Given the history of vulnerabilities in the Web Help Desk software being exploited in the wild, it is imperative for users to promptly update to the latest version of the platform. Ensuring that systems are patched against these critical vulnerabilities will help mitigate potential risks associated with unauthorized access and remote code execution.
