Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
internet-facing-service-vulnerabilityidentity-authentication-vulnerabilitywidely-deployed-product-advisoryrapid-weaponization

Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk

Updated 3d agoFirst seen Jan 28, 202616 sources

SolarWinds released security updates for Web Help Desk (WHD) to address multiple critical vulnerabilities that could allow unauthenticated remote attackers to bypass authentication and achieve remote code execution (RCE). The patched issues include two critical authentication bypass flaws, CVE-2025-40552 and CVE-2025-40554 (reported by watchTowr researcher Piotr Bazydlo), and two critical RCE flaws tied to untrusted data deserialization, CVE-2025-40553 (Bazydlo) and CVE-2025-40551 (reported by Horizon3.ai researcher Jimi Sebree), enabling remote command execution without prior access.

SolarWinds also fixed a high-severity hardcoded credentials issue, CVE-2025-40537, which could enable unauthorized access to administrative functions under certain conditions. The vendor advised administrators to upgrade to Web Help Desk 2026.1 and patch quickly, noting WHD has a history of being targeted and previously had vulnerabilities flagged as actively exploited by CISA, reinforcing the likelihood of rapid attacker interest following disclosure and patch availability.

Share:
Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

9 events from the most recent confirmed update back to the earliest known activity.

9 EVENTS
Feb 5, 20265mo ago

More than 170 exposed WHD instances reported still vulnerable

Researchers reported that over 170 internet-exposed SolarWinds Web Help Desk installations remained vulnerable to CVE-2025-40551 after active exploitation was confirmed, highlighting continued exposure despite available patches.

Feb 3, 20265mo ago

CISA sets February 6 deadline for federal remediation

Following the KEV addition, CISA set an urgent remediation deadline of February 6, 2026 for affected federal agencies and urged immediate patching or isolation of exposed systems.

CISA adds CVE-2025-40551 to KEV as actively exploited

CISA flagged SolarWinds Web Help Desk CVE-2025-40551 as actively exploited in attacks, added it to the Known Exploited Vulnerabilities catalog, and ordered U.S. federal civilian agencies to remediate under BOD 22-01.

Jan 28, 20265mo ago

Rapid7 releases detection coverage for critical WHD CVEs

Rapid7 said remote vulnerability checks for the four critical SolarWinds Web Help Desk CVEs were included in its January 28 content release for certain security products.

Researchers publicly disclose technical details for WHD exploit chain

Horizon3.ai and watchTowr publicly detailed how multiple Web Help Desk weaknesses could be chained to achieve unauthenticated remote code execution, including AjaxProxy/JSON-RPC deserialization paths, request-filter bypasses, static credentials, and indicators of compromise.

SolarWinds publishes advisory and patches six WHD vulnerabilities

SolarWinds released Web Help Desk 2026.1 and published a security advisory addressing six vulnerabilities affecting versions 12.8.8 Hotfix 1 and earlier, including four critical flaws for unauthenticated RCE and authentication bypass plus two high-severity issues involving access control bypass and hardcoded credentials.

Jan 21, 20265mo ago

SolarWinds provides a preview release for WHD fixes

As part of remediation efforts, SolarWinds issued a preview release containing fixes ahead of public availability of the final patched version.

Dec 12, 20257mo ago

SolarWinds confirms the reported WHD vulnerabilities

SolarWinds acknowledged and confirmed the reported Web Help Desk vulnerabilities during the coordinated disclosure process.

Dec 5, 20257mo ago

Researchers report SolarWinds WHD flaws to PSIRT

Horizon3.ai disclosed vulnerabilities in SolarWinds Web Help Desk to SolarWinds PSIRT, beginning the coordinated disclosure process for what became CVE-2025-40551 and related issues.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

27 LINKEDOpen in app
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.

Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk | Mallory