SolarWinds Addresses Critical RCE and Auth Bypass Vulnerabilities

SolarWinds Web Help Desk Patches Address Critical RCE and Authentication Bypass Vulnerabilities

SolarWinds has released security updates for its Web Help Desk (WHD) software to address multiple critical vulnerabilities, including those that could lead to remote code execution (RCE) and authentication bypass. It is crucial for organizations to apply these patches promptly, especially given WHD’s extensive use across various sectors. SolarWinds claims over 300,000 global customers. Businesses should be aware of the potential risks and take immediate action to secure their systems.

Vulnerability Details

The security updates address several high-severity weaknesses:

• CVE-2025-40536: A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to restricted functionality (CVSS score: 8.1).
• CVE-2025-40537: A hard-coded credentials vulnerability that could allow access to administrative functions using the "client" user account (CVSS score: 7.5).
• CVE-2025-40551: An untrusted data deserialization vulnerability that could lead to remote code execution, allowing an unauthenticated attacker to run commands on the host machine (CVSS score: 9.8).
• CVE-2025-40552: An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods (CVSS score: 9.8).
• CVE-2025-40553: An untrusted data deserialization vulnerability that could lead to remote code execution, allowing an unauthenticated attacker to run commands on the host machine (CVSS score: 9.8).
• CVE-2025-40554: An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk (CVSS score: 9.8).

These vulnerabilities affect SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below and have been fixed in version 2026.1. Rapid7 noted that RCE via deserialization is a highly reliable vector for attackers, and the impact of these vulnerabilities is significant due to their exploitability without authentication.

Discovery and Reporting

Jimi Sebree from Horizon3.ai discovered and reported CVE-2025-40536, CVE-2025-40537, and CVE-2025-40551. Piotr Bazydlo from watchTowr identified CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. SolarWinds has credited both researchers for their findings.

Technical Analysis of CVE-2025-40551

Horizon3.ai provided a technical analysis of CVE-2025-40551, detailing how this deserialization vulnerability in the AjaxProxy functionality could lead to remote code execution. To achieve RCE, an attacker would need to:

1. Establish a valid session and extract key values.
2. Create a LoginPref component.
3. Set the state of the LoginPref component to allow access to the file upload.
4. Use the JSONRPC bridge to create malicious Java objects.
5. Trigger these malicious Java objects.

This vulnerability underscores the need for robust security measures to prevent unauthorized access and code execution.

Past Exploitation and CISA Involvement

SolarWinds Web Help Desk has been targeted in the past. In September 2025, a patch bypass (CVE-2025-26399) for a WHD RCE flaw was reported. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged it as actively exploited and added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating patching by federal agencies. Additionally, in October 2024, CISA tagged a critical Web Help Desk hardcoded credentials flaw as actively exploited.

Mitre ATT&CK Techniques

The SolarWinds Web Help Desk vulnerabilities align with several MITRE ATT&CK tactics and techniques:

• TA0002 – Execution: Attackers can leverage the RCE flaws to run malicious code directly on the server. More info
• TA0004 – Privilege Escalation: Both the RCE and hardcoded credentials vulnerabilities enable attackers to gain elevated privileges. More info
• TA0001 – Initial Access: Exploitation occurs through:
  • T1190 – Exploit Public-Facing Application More info
  • T1203 – Exploitation for Client Execution (for RCE flaws) More info
  • T1068 – Exploitation for Privilege Escalation (for RCE & hardcoded credentials) More info

Remediation and Recommendations

SolarWinds recommends upgrading to Web Help Desk version 2026.1 immediately. This update includes patches for all identified vulnerabilities. Arctic Wolf also recommends that customers upgrade to the latest fixed version, following their organization’s patching and testing guidelines to minimize potential operational impact.

Security solutions like Gopher Security offer AI-powered, post-quantum Zero-Trust cybersecurity architecture that can help mitigate such risks. Our platform converges networking and security across devices, apps, and environments using peer-to-peer encrypted tunnels and quantum-resistant cryptography. This ensures robust protection against potential exploits, including those targeting vulnerabilities like the ones found in SolarWinds Web Help Desk.

Gopher Security's Zero-Trust approach can significantly reduce the attack surface and prevent unauthorized access, even if vulnerabilities exist within applications. By implementing peer-to-peer encrypted tunnels and quantum-resistant cryptography, https://gopher.security ensures that data remains secure, and access is strictly controlled, regardless of the underlying infrastructure. This proactive approach to security can help organizations stay ahead of potential threats and maintain a strong security posture.

Take Action Today

Don't wait to secure your systems. Contact Gopher Security today to learn more about how our AI-powered, post-quantum Zero-Trust cybersecurity architecture can protect your organization from evolving threats. Explore our services on our website and ensure your systems are secure with Gopher Security.