Over 170 SolarWinds Help Desk Installations Exposed to Critical Remote Code Execution Vulnerability
Recent cybersecurity analyses have revealed that over 170 instances of SolarWinds Web Help Desk (WHD) remain susceptible to a severe remote code execution (RCE) vulnerability, identified as CVE-2025-40551. This flaw, carrying a critical CVSS score of 9.8, enables unauthenticated attackers to execute arbitrary commands on affected systems by exploiting insecure deserialization processes within the software’s AjaxProxy component.
Understanding CVE-2025-40551
CVE-2025-40551 is an insecure deserialization vulnerability present in SolarWinds WHD versions prior to 2026.1. The issue arises from the software’s handling of serialized Java objects, which, when manipulated by malicious actors, can lead to unauthorized command execution on the host machine. This vulnerability is particularly alarming due to its unauthenticated nature, allowing remote exploitation without the need for valid credentials.
Discovery and Reporting
The Shadowserver Foundation, a nonprofit organization dedicated to improving internet security, has been actively monitoring and reporting on vulnerable SolarWinds WHD installations. Through their Vulnerable HTTP reports, they have identified approximately 170 exposed instances based on version checks. These publicly accessible installations are prime targets for threat actors, given the ease with which the vulnerability can be exploited.
In a recent statement, The Shadowserver Foundation highlighted the severity of the situation:
> For the last few days, we have been sharing SolarWinds Help Desk CVE-2025-40551 RCE vulnerable IPs (version check based) – ~170 seen. This vuln is now on @CISACyber KEV.
Active Exploitation and CISA’s Response
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-40551 to its Known Exploited Vulnerabilities (KEV) catalog on February 3, 2026, confirming active exploitation in the wild. Under Binding Operational Directive 22-01, federal civilian executive branch agencies were mandated to remediate this vulnerability by February 6, 2026. The inclusion in the KEV catalog underscores the elevated risk associated with this vulnerability and the necessity for immediate action.
Technical Details and Exploitation Pathways
The vulnerability stems from the deserialization of untrusted data within the AjaxProxy component of SolarWinds WHD. Attackers can craft malicious serialized Java objects and send them to the application, which, when processed, execute arbitrary commands on the underlying host machine. This method of exploitation is particularly dangerous as it requires no authentication and can be performed remotely over the network.
Researchers at Horizon3.ai discovered this vulnerability alongside several related security issues, including static credentials and security protection bypasses. The combination of these flaws amplifies the potential impact, allowing attackers to gain full control over affected systems without user interaction.
Mitigation and Recommendations
In response to the discovery, SolarWinds released version 2026.1 to address CVE-2025-40551, along with three related vulnerabilities:
– CVE-2025-40552: Authentication bypass
– CVE-2025-40553: Deserialization RCE
– CVE-2025-40554: Authentication bypass
All four vulnerabilities carry critical CVSS scores of 9.8 and enable various forms of unauthenticated access and code execution.
Organizations utilizing affected versions of SolarWinds WHD are strongly urged to apply the vendor-provided updates immediately. The widespread use of this software, coupled with confirmed active exploitation, makes these installations prime targets for threat actors.
Broader Implications and Industry Response
The discovery of CVE-2025-40551 and its active exploitation highlight the persistent challenges in securing IT management and service desk platforms. These systems often hold privileged access and play central roles in organizational operations, making them attractive targets for cybercriminals.
BitSight, a cybersecurity ratings company, assigned the vulnerability a Dynamic Vulnerability Exploit (DVE) score of 9.19, reflecting extreme technical severity with credible exploitation likelihood. They noted that attackers continue to prioritize IT management and service desk platforms due to their privileged access and central operational role.
Conclusion
The exposure of over 170 SolarWinds Web Help Desk installations to a critical RCE vulnerability underscores the importance of proactive cybersecurity measures. Organizations must remain vigilant, promptly apply security patches, and continuously monitor their systems to mitigate potential threats. The collaboration between security researchers, organizations like The Shadowserver Foundation, and governmental agencies such as CISA plays a crucial role in identifying vulnerabilities and coordinating responses to protect the broader digital ecosystem.
