SolarWinds has issued an urgent call for administrators to patch its Web Help Desk (WHD) software following the discovery of six security vulnerabilities. Among these are four critical-severity flaws that could allow unauthenticated attackers to bypass security protocols or execute arbitrary commands on host systems.
The vulnerabilities, which affect versions up to 12.8.8 Hotfix 1, have been addressed in the newly released Web Help Desk version 2026.1.
High-Impact Exploits: Deserialization and Auth Bypass
Security researchers from Horizon3.ai and watchTowr identified the flaws, which include two distinct Remote Code Execution (RCE) vectors. According to cybersecurity firm Rapid7, these RCE flaws (CVE-2025-40551 and CVE-2025-40553) utilize untrusted data deserialization, a highly reliable method for attackers to gain full control of a target machine without needing valid login credentials.
The four critical vulnerabilities (all carrying a CVSS score of 9.8) are:
CVE-2025-40552 & CVE-2025-40554: Authentication bypass vulnerabilities that allow attackers to invoke internal actions usually reserved for authorized users.
Experts warn that even the authentication bypasses could be leveraged as stepping stones to achieve RCE, effectively granting an attacker the same level of access as the deserialization bugs.
A History of Persistence
This latest round of patches follows a turbulent period for the Web Help Desk platform. In late 2024 and throughout 2025, several other critical flaws—such as CVE-2024-28986 and its subsequent patch bypasses—were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The recurring nature of these issues highlights a “patch-on-patch” cycle that SolarWinds aims to break with the release of version 2026.1. This update reportedly transitions the software to a more modern framework, intended to eliminate legacy code debt and improve overall security maintainability.
CVE ID
Severity (CVSS)
Primary Risk
Reporter
CVE-2025-40551
9.8 (Critical)
Remote Code Execution
Jimi Sebree (Horizon3.ai)
CVE-2025-40553
9.8 (Critical)
Remote Code Execution
Piotr Bazydlo (watchTowr)
CVE-2025-40552
9.8 (Critical)
Auth Bypass
Piotr Bazydlo (watchTowr)
CVE-2025-40554
9.8 (Critical)
Auth Bypass
Piotr Bazydlo (watchTowr)
CVE-2025-40536
8.1 (High)
Control Bypass
Jimi Sebree (Horizon3.ai)
CVE-2025-40537
7.5 (High)
Hardcoded Credentials
Jimi Sebree (Horizon3.ai)
SolarWinds Urges Immediate Updates After Critical RCE and Auth Bypass Flaws Hit Web Help Desk
SolarWinds has issued an urgent call for administrators to patch its Web Help Desk (WHD) software following the discovery of six security vulnerabilities. Among these are four critical-severity flaws that could allow unauthenticated attackers to bypass security protocols or execute arbitrary commands on host systems.
The vulnerabilities, which affect versions up to 12.8.8 Hotfix 1, have been addressed in the newly released Web Help Desk version 2026.1.
High-Impact Exploits: Deserialization and Auth Bypass
Security researchers from Horizon3.ai and watchTowr identified the flaws, which include two distinct Remote Code Execution (RCE) vectors. According to cybersecurity firm Rapid7, these RCE flaws (CVE-2025-40551 and CVE-2025-40553) utilize untrusted data deserialization, a highly reliable method for attackers to gain full control of a target machine without needing valid login credentials.
The four critical vulnerabilities (all carrying a CVSS score of 9.8) are:
CVE-2025-40552 & CVE-2025-40554: Authentication bypass vulnerabilities that allow attackers to invoke internal actions usually reserved for authorized users.
Experts warn that even the authentication bypasses could be leveraged as stepping stones to achieve RCE, effectively granting an attacker the same level of access as the deserialization bugs.
A History of Persistence
This latest round of patches follows a turbulent period for the Web Help Desk platform. In late 2024 and throughout 2025, several other critical flaws—such as CVE-2024-28986 and its subsequent patch bypasses—were added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.
The recurring nature of these issues highlights a “patch-on-patch” cycle that SolarWinds aims to break with the release of version 2026.1. This update reportedly transitions the software to a more modern framework, intended to eliminate legacy code debt and improve overall security maintainability.
Key Vulnerabilities at a Glance
CVE ID
Severity (CVSS)
Primary Risk
Reporter
CVE-2025-40551
9.8 (Critical)
Remote Code Execution
Jimi Sebree (Horizon3.ai)
CVE-2025-40553
9.8 (Critical)
Remote Code Execution
Piotr Bazydlo (watchTowr)
CVE-2025-40552
9.8 (Critical)
Auth Bypass
Piotr Bazydlo (watchTowr)
CVE-2025-40554
9.8 (Critical)
Auth Bypass
Piotr Bazydlo (watchTowr)
CVE-2025-40536
8.1 (High)
Control Bypass
Jimi Sebree (Horizon3.ai)
CVE-2025-40537
7.5 (High)
Hardcoded Credentials
Jimi Sebree (Horizon3.ai)
Security Note: One of the high-severity flaws (CVE-2025-40537) involves a default “client” account. While intended for demos, researchers found that in some environments, this account could be used to escalate privileges to administrative levels.
Immediate Action Required
Given that Web Help Desk is widely utilized in sensitive sectors including healthcare, government, and education, the risk of weaponization is high. SolarWinds advises all organizations to transition to WHD 2026.1 immediately.
Beyond patching, IT teams should verify that default accounts are disabled and ensure the principle of least privilege is applied across the platform to mitigate the potential impact of any future exploits.
