Article Details
Scrape Timestamp (UTC): 2026-01-29 09:03:29.962
Source: https://thehackernews.com/2026/01/solarwinds-fixes-four-critical-web-help.html
Original Article Text
Click to Toggle View
SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass. SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE). The list of vulnerabilities is as follows - While Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the first three vulnerabilities, watchTowr's Piotr Bazydlo has been acknowledged for the remaining three flaws. All the issues have been addressed in WHD 2026.1. "Both CVE-2025-40551 and CVE-2025-40553 are critical deserialization of untrusted data vulnerabilities that allow a remote unauthenticated attacker to achieve RCE on a target system and execute payloads such as arbitrary OS command execution," Rapid7 said. "RCE via deserialization is a highly reliable vector for attackers to leverage, and as these vulnerabilities are exploitable without authentication, the impact of either of these two vulnerabilities is significant." While CVE-2025-40552 and CVE-2025-40554 have been described as authentication bypasses, they could also be leveraged to obtain RCE and achieve the same impact as the other two RCE deserialization vulnerabilities, the cybersecurity company added. In recent years, SolarWinds has released fixes to resolve several flaws in its Web Help Desk software, including CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. It's worth noting that CVE-2025-26399 addresses a patch bypass for CVE-2024-28988, which, in turn, is a patch bypass of CVE-2024-28986. In late 2024, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. In a post explaining CVE-2025-40551, Horizon3.ai's Sebree described it as yet another deserialization vulnerability stemming from the AjaxProxy functionality that could result in remote code execution. To achieve RCE, an attacker needs to carry out the following series of actions - With flaws in Web Help Desk having been weaponized in the past, it's essential that customers move quickly to update to the latest version of the help desk and IT service management platform.
Daily Brief Summary
SolarWinds has issued updates for its Web Help Desk software to address four critical vulnerabilities, including authentication bypass and remote code execution (RCE) risks.
The vulnerabilities, identified by researchers from Horizon3.ai and watchTowr, include critical deserialization flaws that allow unauthenticated attackers to execute arbitrary OS commands remotely.
Two of the vulnerabilities, CVE-2025-40551 and CVE-2025-40553, involve deserialization of untrusted data, a reliable attack vector that poses significant security threats.
Additional vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypass issues that can also lead to RCE, amplifying their potential impact.
Previous flaws in SolarWinds' Web Help Desk have been actively exploited, prompting the U.S. CISA to add them to its Known Exploited Vulnerabilities catalog.
Organizations using SolarWinds Web Help Desk are urged to update to version WHD 2026.1 promptly to mitigate these critical security risks.
Continuous vigilance and timely patching are crucial as past vulnerabilities in the platform have been weaponized, posing ongoing threats to IT service management environments.