Over 170 SolarWinds Help Desk Installations Exposed to Critical Remote Code Execution Vulnerability
A significant security concern has emerged as over 170 instances of SolarWinds Web Help Desk (WHD) installations remain susceptible to a critical remote code execution (RCE) vulnerability. This flaw, identified as CVE-2025-40551, has been actively exploited and recently added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog.
Understanding CVE-2025-40551
CVE-2025-40551 is a severe vulnerability with a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, indicating its critical nature. The flaw resides in the AjaxProxy component of SolarWinds WHD versions prior to 2026.1. It allows unauthenticated attackers to execute arbitrary commands on the host system by exploiting insecure deserialization of untrusted data. This means that an attacker can send specially crafted serialized Java objects to the application, which, when processed, can lead to full system compromise without requiring any user interaction or authentication.
Discovery and Reporting
The vulnerability was uncovered by security researchers at Horizon3.ai, who identified it alongside other related security issues, including static credentials and security protection bypasses. Their findings highlight the persistent challenges in securing IT management platforms, which are often targeted due to their privileged access and central role in organizational operations.
Exposure and Active Exploitation
The Shadowserver Foundation, a nonprofit organization dedicated to improving internet security, has been actively monitoring and reporting on vulnerable SolarWinds WHD installations. Their Vulnerable HTTP reports have identified approximately 170 exposed instances based on version checks. These publicly accessible installations are critical targets for threat actors, as the vulnerability can be exploited remotely over the network without any authentication.
CISA added CVE-2025-40551 to its KEV catalog on February 3, 2026, confirming that the vulnerability is being actively exploited in the wild. Under Binding Operational Directive 22-01, federal civilian executive branch agencies are mandated to remediate this vulnerability by February 6, 2026. The inclusion in the KEV catalog underscores the elevated risk associated with this flaw and the urgency for organizations to address it promptly.
Technical Details and Impact
The vulnerability stems from the deserialization of untrusted data within the AjaxProxy component of SolarWinds WHD. Deserialization is the process of converting serialized data back into its original object form. When this process is not securely implemented, it can allow attackers to inject malicious code that gets executed during deserialization. In the case of CVE-2025-40551, an attacker can craft a malicious serialized object and send it to the WHD application. Upon processing this object, the application executes the embedded malicious code, granting the attacker the ability to execute arbitrary commands on the host system.
The impact of this vulnerability is profound. Successful exploitation grants attackers full control over the confidentiality, integrity, and availability of the affected system. They can execute commands with the privileges of the Web Help Desk service account, potentially leading to data breaches, system disruptions, and further infiltration into the organization’s network.
Mitigation and Recommendations
SolarWinds has responded to this critical vulnerability by releasing version 2026.1 of Web Help Desk, which addresses CVE-2025-40551 along with three related vulnerabilities:
– CVE-2025-40552: Authentication bypass vulnerability.
– CVE-2025-40553: Another deserialization RCE vulnerability.
– CVE-2025-40554: Additional authentication bypass vulnerability.
All four vulnerabilities carry critical CVSS scores of 9.8 and enable various forms of unauthenticated access and code execution.
Organizations using affected versions of SolarWinds WHD are strongly urged to take the following actions:
1. Immediate Update: Upgrade to Web Help Desk version 2026.1 to remediate the identified vulnerabilities.
2. Review Configurations: Disable default accounts and enforce strict request filtering to enhance security.
3. Monitor Systems: Regularly monitor system logs and network traffic for signs of exploitation or unauthorized access.
4. Implement Access Controls: Restrict access to the Web Help Desk application to trusted networks and users.
5. Educate Staff: Provide training to IT staff on recognizing and responding to potential security incidents.
Conclusion
The discovery and active exploitation of CVE-2025-40551 in SolarWinds Web Help Desk installations serve as a stark reminder of the importance of timely vulnerability management and system updates. Organizations must remain vigilant, promptly apply security patches, and implement robust security measures to protect their systems from potential threats. By taking proactive steps, organizations can mitigate the risks associated with such vulnerabilities and safeguard their critical IT infrastructure.
