SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

SolarWinds Web Help Desk Vulnerabilities Addressed

SolarWinds has released security updates to address multiple vulnerabilities in SolarWinds Web Help Desk (WHD), including critical flaws that could lead to authentication bypass and remote code execution (RCE). It is recommended to upgrade to v2026.1 as soon as possible. Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture, offering solutions to mitigate such risks through peer-to-peer encrypted tunnels and quantum-resistant cryptography.

Vulnerability Details

The following vulnerabilities have been identified and addressed:

• CVE-2025-40536 (CVSS score: 8.1): A security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.
• CVE-2025-40537 (CVSS score: 7.5): A hard-coded credentials vulnerability that could allow access to administrative functions using the "client" user account.
• CVE-2025-40551 (CVSS score: 9.8): An untrusted data deserialization vulnerability that could lead to remote code execution, allowing an unauthenticated attacker to run commands on the host machine.
• CVE-2025-40552 (CVSS score: 9.8): An authentication bypass vulnerability that could allow an unauthenticated attacker to execute actions and methods.
• CVE-2025-40553 (CVSS score: 9.8): An untrusted data deserialization vulnerability that could lead to remote code execution, allowing an unauthenticated attacker to run commands on the host machine.
• CVE-2025-40554 (CVSS score: 9.8): An authentication bypass vulnerability that could allow an attacker to invoke specific actions within Web Help Desk.

These vulnerabilities affect SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below and have been fixed in v2026.1. Details on the release notes can be found here.

Discovery and Reporting

Jimi Sebree from Horizon3.ai discovered and reported CVE-2025-40536, CVE-2025-40537, and CVE-2025-40551. Piotr Bazydlo from watchTowr identified CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. WHD 2026.1 addresses all the reported issues.

Technical Analysis of Critical Vulnerabilities

Rapid7 noted that CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities. These allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads, such as arbitrary OS command execution.

Horizon3.ai described CVE-2025-40551 as another deserialization vulnerability stemming from the AjaxProxy functionality that could result in remote code execution. Achieving RCE involves:

1. Establishing a valid session and extracting key values
2. Creating a LoginPref component
3. Setting the state of the LoginPref component to allow access to the file upload
4. Using the JSONRPC bridge to create malicious Java objects behind the scenes
5. Triggering these malicious Java objects

watchTowr Labs noted that CVE-2025-40553 is a patch bypass for CVE-2025-26399. When combined with CVE-2025-40552, it could result in unauthenticated remote code execution by establishing a valid JDBC connection to the local database and running a malicious SQL query that executes an operating system (OS) command as SYSTEM.

Security researcher Piotr Bazydlo stated that CVE-2025-40552 is a powerful authentication bypass that allows an attacker to ignore the hierarchical execution model of Java WebObjects and invoke almost any component directly. CVE-2025-40554, on the other hand, allows for an authentication bypass by allowing an attacker to invoke Ajax-related actions without authentication, and ultimately deserialize arbitrary objects.

The CVE-2025-40552-CVE-2025-40553 exploit chain is possible because SolarWinds' bundled PostgreSQL is configured to trust all local connections, meaning no credentials are required when connecting over the loopback interface. As a result, an attacker can authenticate as the whd superadmin account and leverage the COPY FROM PROGRAM to execute arbitrary OS commands.

Past Exploitation

In 2024, SolarWinds fixed two vulnerabilities – CVE-2024-28986 and CVE-2024-28987 – that were leveraged by attackers within days and months of their disclosure. In late 2024, CISA added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Indicators of Compromise (IOCs)

Specific IOCs have not been disclosed by SolarWinds. However, organizations should implement the following detection strategies:

• Monitor WHD application logs for unusual authentication patterns.
• Review network traffic to WHD servers for unexpected inbound connections.
• Configure alerts for unauthorized process execution on WHD server systems.
• Examine authentication logs for bypass attempts or successful access without proper credential validation.
• Implement file integrity monitoring on WHD installation directories.

Mitigation Steps

1. Immediately update all SolarWinds Web Help Desk installations to version 2026.1.
2. Verify successful patch deployment by confirming version 2026.1 installation in the WHD administrative interface.
3. Conduct comprehensive log review for the 30-day period preceding patch deployment to identify potential exploitation attempts.
4. Reset all administrative passwords and disable any unnecessary user accounts, particularly focusing on the "client" account if accessible.
5. Implement network segmentation to restrict WHD server access to authorized management networks only.
6. Configure firewall rules to block unnecessary inbound connections to WHD servers from internet-facing networks.
7. Enable detailed logging for all WHD authentication events and establish monitoring for authentication anomalies.
8. Review and validate all current WHD user accounts, removing inactive accounts and validating privilege levels.
9. Implement additional authentication layers such as multi-factor authentication where supported.
10. Schedule regular security assessments for WHD installations to identify future vulnerabilities or misconfigurations.

Gopher Security offers AI-powered, post-quantum Zero-Trust cybersecurity architecture to help organizations protect against such vulnerabilities. Our platform converges networking and security across devices, apps, and environments, using peer-to-peer encrypted tunnels and quantum-resistant cryptography.

Explore Gopher Security's solutions or contact us for more information on how we can help secure your organization.