Overview
On January 28, 2026, SolarWinds published an advisory for multiple new vulnerabilities affecting their Web Help Desk product. Web Help Desk is an IT help desk ticketing and asset management software solution. Of the six new CVEs disclosed in the advisory, four are critical, and allow a remote attacker to either achieve unauthenticated remote code execution (RCE) or bypass authentication.
As of this writing, there is currently no known in-the-wild exploitation occurring. However, we expect this to change as and when technical details become available. Notably, this product has been featured on CISA’s Known Exploited Vulnerabilities (KEV) list twice in the past, circa 2024, indicating that it is a target for real-world attackers.
The six vulnerabilities are summarized below.
CVE | CVSSv3 | CWE |
9.8 (Critical) | Deserialization of Untrusted Data (CWE-502) | |
9.8 (Critical) | Weak Authentication (CWE-1390) | |
9.8 (Critical) | Deserialization of Untrusted Data (CWE-502) | |
9.8 (Critical) | Weak Authentication (CWE-1390) | |
8.1 (High) | Protection Mechanism Failure (CWE-693) | |
7.5 (High) | Use of Hard-coded Credentials (CWE-798) |
Technical overview
Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution. RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant.
The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses that allow a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. Based upon the vendor supplied CVSS scores for these two authentication bypass vulnerabilities, the impact is equivalent to the two RCE deserialization vulnerabilities, likely meaning they can also be leveraged for RCE.
In addition to the four critical vulnerabilities, two high severity vulnerabilities were also disclosed. CVE-2025-40536 is an access control bypass vulnerability, allowing an attacker to access functionality on the target system that is intended to be restricted to authenticated users. Separately, CVE-2025-40537 may, under certain conditions, allow access to some administrative functionality on the target system due to the existence of hardcoded credentials.
A full technical analysis of CVE-2025-40551, CVE-2025-40536, and CVE-2025-40537 has been published by the original finders, Horizon3.ai.
Mitigation guidance
A vendor supplied update is available to remediate all six vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554, CVE-2025-40536, and CVE-2025-40537. The following product versions are affected:
SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below.
Customers are advised to update to the latest Web Help Desk version, 2026.1, on an urgent basis outside of normal patching cycles.
For the latest mitigation guidance for SolarWinds Web Help Desk, please refer to the vendor’s security advisory.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose customers can assess their exposure to CVE-2025-40551, CVE-2025-40552, CVE-2025-40553 and CVE-2025-40554 with remote vulnerability checks expected to be available in today's (28 Jan) content release.
Updates
- January 28, 2026: Added reference to the Horizon3.ai technical analysis.
