SolarWinds has released security updates to address six vulnerabilities in its Web Help Desk (WHD) IT service management software, including four rated critical that could allow unauthenticated attackers to achieve remote code execution with SYSTEM privileges. CISA has confirmed active exploitation and added CVE-2025-40551 to the Known Exploited Vulnerabilities catalog.
Vulnerability summary
| CVE | CVSS | Severity | Type | Authentication |
|---|
| CVE-2025-40551 | 9.8 | Critical | Deserialization RCE | None required |
| CVE-2025-40553 | 9.8 | Critical | Deserialization RCE | None required |
| CVE-2025-40552 | 9.8 | Critical | Authentication bypass | None required |
| CVE-2025-40554 | 9.8 | Critical | Authentication bypass | None required |
| CVE-2025-40536 | 7.5 | High | Access control bypass | None required |
| CVE-2025-40537 | 7.2 | High | Hardcoded credentials | Specific conditions |
All four critical vulnerabilities share the same CVSS 9.8 score and allow remote unauthenticated attackers to execute arbitrary code with SYSTEM privileges.
CISA KEV addition
| Attribute | Details |
|---|
| KEV addition date | February 4, 2026 |
| Active exploitation | Confirmed |
| Federal agency deadline | February 6, 2026 (CVE-2025-40551) |
| Additional CVEs deadline | February 24, 2026 |
| Binding directive | BOD 22-01 |
CISA stated: “SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.”
Timeline
| Date | Event |
|---|
| January 2026 | Horizon3.ai discovers CVE-2025-40551 |
| January 29, 2026 | SolarWinds releases WHD version 2026.1 |
| February 4, 2026 | CISA adds CVE-2025-40551 to KEV |
| February 6, 2026 | Federal agency remediation deadline (CVE-2025-40551) |
| February 24, 2026 | Federal deadline for remaining CVEs |
Critical vulnerabilities in detail
CVE-2025-40551 & CVE-2025-40553: Deserialization RCE
Both vulnerabilities stem from deserialization of untrusted data in the WHD application. The flaws exist in the AjaxProxy component, which handles asynchronous requests.
| Attribute | CVE-2025-40551 | CVE-2025-40553 |
|---|
| CVSS | 9.8 | 9.8 |
| Component | AjaxProxy | AjaxProxy |
| Root cause | Deserialization of untrusted data | Deserialization of untrusted data |
| Authentication | None required | None required |
| Exploitation | In the wild | Not yet confirmed |
Attack vector:
| Step | Action |
|---|
| 1 | Attacker sends crafted serialized object to vulnerable endpoint |
| 2 | Application deserializes without validation |
| 3 | Malicious object triggers code execution |
| 4 | Attacker gains SYSTEM-level access |
According to Horizon3.ai researcher Jimi Sebree, CVE-2025-40551 exists in AjaxProxy functionality due to improper sanitization of requests and the bypass of a blocklist function.
No authentication required. Any network-accessible WHD instance is vulnerable.
CVE-2025-40552 & CVE-2025-40554: Authentication bypass
These vulnerabilities allow attackers to bypass authentication mechanisms entirely, gaining access equivalent to authenticated users—including administrators.
| Attribute | CVE-2025-40552 | CVE-2025-40554 |
|---|
| CVSS | 9.8 | 9.8 |
| Type | Authentication bypass | Authentication bypass |
| Impact | Administrative access | Administrative access |
| Authentication | None required | None required |
Combined impact: With both deserialization and auth bypass, attackers can:
| Capability | Risk |
|---|
| Execute arbitrary code | SYSTEM privileges |
| Install programs | Persistence |
| Create accounts | Backdoor access |
| Access all data | Complete compromise |
| Lateral movement | Network pivot point |
High-severity vulnerabilities
CVE-2025-40536: Access control bypass
| Attribute | Details |
|---|
| CVSS | 7.5 |
| Type | Access control bypass |
| Impact | Access restricted functionality |
| Authentication | None required |
Allows unauthenticated attackers to reach functionality that should be restricted to authenticated users. While not directly enabling RCE, it expands the attack surface significantly.
CVE-2025-40537: Hardcoded credentials
| Attribute | Details |
|---|
| CVSS | 7.2 |
| Type | Hardcoded credentials |
| Impact | Administrative access |
| Conditions | Specific deployment configurations |
Under specific conditions, hardcoded credentials in the application can grant access to administrative functionality.
Affected versions
| Product | Affected versions | Fixed version |
|---|
| SolarWinds Web Help Desk | 12.8.8 HF1 and all prior | 2026.1 |
Patch bypass history
CVE-2025-40551 is the latest in a series of bugs centered around bypasses of fixes to CVE-2024-28986:
| Date | CVE | Issue | Status |
|---|
| August 2024 | CVE-2024-28986 | Java deserialization RCE | Patched, then bypassed |
| August 2024 | CVE-2024-28987 | Hardcoded credential access | CISA KEV |
| September 2025 | CVE-2025-26399 | Patch bypass for CVE-2024-28986 | Patched, then bypassed |
| January 2026 | CVE-2025-40551 | Latest patch bypass | Current |
This pattern suggests structural issues in the WHD codebase that require comprehensive remediation rather than point fixes.
Impact assessment
SolarWinds Web Help Desk serves over 300,000 organizations globally for IT service management, including:
| Function | Description |
|---|
| IT support ticketing | Internal helpdesk operations |
| Asset management | Hardware/software inventory |
| Change management | IT change tracking |
| SLA tracking | Service level monitoring |
| Knowledge base | Internal documentation |
Data at risk
WHD instances typically have access to:
| Data category | Examples | Risk |
|---|
| IT infrastructure | Asset inventory, network documentation | Reconnaissance |
| User data | Employee information, credential reset requests | PII exposure |
| Business processes | Incident history, change records | Operational insight |
| Internal communications | Support tickets, knowledge articles | Confidential info |
| Integration credentials | Connected system access | Lateral movement |
Compromise provides attackers with detailed intelligence about the target’s IT environment and potential pivot points for lateral movement.
Exploitation in the wild
CISA’s KEV addition confirms active exploitation:
| Factor | Assessment |
|---|
| Functional exploits | Exist and used in real environments |
| Attack complexity | Low (no authentication required) |
| Target value | High (IT infrastructure visibility) |
| Exposure | Internet-facing and internal deployments |
High-risk deployments
| Deployment type | Risk level |
|---|
| Internet-facing WHD | Critical |
| Internal with weak segmentation | High |
| Integrated with AD | High (credential pivot) |
| Containing sensitive tickets | High |
Patching guidance
| Step | Action |
|---|
| 1 | Download Web Help Desk version 2026.1 from SolarWinds Customer Portal |
| 2 | Review release notes for upgrade prerequisites |
| 3 | Back up current WHD database and configuration |
| 4 | Deploy update during maintenance window |
| 5 | Verify successful installation |
| 6 | Review access logs for indicators of prior compromise |
| Mitigation | Purpose |
|---|
| Network isolation | Restrict access to WHD instances |
| Firewall rules | Block external access |
| VPN-only access | Require VPN for remote users |
| Enhanced logging | Detect exploitation attempts |
| WAF rules | Block serialized object payloads |
| Consider offline | Take WHD offline until patched |
Detection
Indicators to monitor
| Indicator | Meaning |
|---|
| Unusual requests to AjaxProxy endpoints | Possible exploitation |
| Serialized Java objects in HTTP bodies | Attack payload |
| New user accounts | Post-exploitation activity |
| Privilege escalations | Attacker persistence |
| Unexpected outbound connections | C2 communication |
| SYSTEM-level processes from WHD | Code execution |
Log sources
| Log source | What to review |
|---|
| WHD application logs | AjaxProxy requests, errors |
| Web server access logs | Suspicious POST requests |
| Windows Security logs | Process creation (4688), account management |
| Network traffic logs | Unusual WHD connections |
| Authentication logs | Failed/successful logins |
Detection rules
| Platform | Rule focus |
|---|
| SIEM | AjaxProxy POST with serialized content |
| EDR | WHD spawning unexpected child processes |
| WAF | Java serialization patterns in requests |
| Network | Outbound connections from WHD server |
Recommendations
For WHD administrators
| Priority | Action |
|---|
| Critical | Patch immediately to version 2026.1 |
| Critical | Audit access logs for exploitation signs |
| High | Review user accounts for unauthorized additions |
| High | Restrict network access to WHD if exposed |
| High | Enable MFA for administrative access |
| Medium | Review integration credentials for abuse |
For security teams
| Priority | Action |
|---|
| Critical | Inventory WHD instances across organization |
| Critical | Prioritize patching above normal cycles |
| High | Hunt for compromise indicators in historical logs |
| High | Assess data exposure if compromised |
| Medium | Review WHD in threat models |
| Ongoing | Monitor for new WHD vulnerabilities |
For federal agencies
| Requirement | Deadline |
|---|
| CVE-2025-40551 remediation | February 6, 2026 |
| Remaining CVEs remediation | February 24, 2026 |
| Alternative | Discontinue use if mitigation impossible |
Context
SolarWinds products continue to be high-value targets following the 2020 supply chain compromise. While Web Help Desk is a separate product from the compromised Orion platform, the SolarWinds brand attracts attacker attention and researcher scrutiny.
| Factor | Implication |
|---|
| Brand targeting | Attackers specifically seek SolarWinds vulnerabilities |
| Recurring WHD flaws | Structural codebase issues |
| Patch bypass pattern | Fixes don’t address root cause |
| High deployment count | 300,000+ organizations affected |
The recurring pattern of critical WHD vulnerabilities—and the need for patch bypass fixes—suggests organizations should evaluate whether WHD’s risk profile aligns with their security requirements. The three-day federal deadline for CVE-2025-40551 underscores the severity of this vulnerability class.
Organizations unable to maintain aggressive patching cadence for WHD should consider:
| Option | Consideration |
|---|
| Alternative ITSM platforms | Different risk profile |
| Strict network isolation | Reduce attack surface |
| Enhanced monitoring | Detect exploitation quickly |
| Managed service | Vendor-managed patching |
