Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk
SolarWinds released security updates for Web Help Desk (WHD) to address multiple critical vulnerabilities that could allow unauthenticated remote attackers to bypass authentication and achieve remote code execution (RCE). The patched issues include two critical authentication bypass flaws, CVE-2025-40552 and CVE-2025-40554 (reported by watchTowr researcher Piotr Bazydlo), and two critical RCE flaws tied to untrusted data deserialization, CVE-2025-40553 (Bazydlo) and CVE-2025-40551 (reported by Horizon3.ai researcher Jimi Sebree), enabling remote command execution without prior access.
SolarWinds also fixed a high-severity hardcoded credentials issue, CVE-2025-40537, which could enable unauthorized access to administrative functions under certain conditions. The vendor advised administrators to upgrade to Web Help Desk 2026.1 and patch quickly, noting WHD has a history of being targeted and previously had vulnerabilities flagged as actively exploited by CISA, reinforcing the likelihood of rapid attacker interest following disclosure and patch availability.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
More than 170 exposed WHD instances reported still vulnerable
Researchers reported that over 170 internet-exposed SolarWinds Web Help Desk installations remained vulnerable to CVE-2025-40551 after active exploitation was confirmed, highlighting continued exposure despite available patches.
CISA sets February 6 deadline for federal remediation
Following the KEV addition, CISA set an urgent remediation deadline of February 6, 2026 for affected federal agencies and urged immediate patching or isolation of exposed systems.
CISA adds CVE-2025-40551 to KEV as actively exploited
CISA flagged SolarWinds Web Help Desk CVE-2025-40551 as actively exploited in attacks, added it to the Known Exploited Vulnerabilities catalog, and ordered U.S. federal civilian agencies to remediate under BOD 22-01.
Rapid7 releases detection coverage for critical WHD CVEs
Rapid7 said remote vulnerability checks for the four critical SolarWinds Web Help Desk CVEs were included in its January 28 content release for certain security products.
Researchers publicly disclose technical details for WHD exploit chain
Horizon3.ai and watchTowr publicly detailed how multiple Web Help Desk weaknesses could be chained to achieve unauthenticated remote code execution, including AjaxProxy/JSON-RPC deserialization paths, request-filter bypasses, static credentials, and indicators of compromise.
SolarWinds publishes advisory and patches six WHD vulnerabilities
SolarWinds released Web Help Desk 2026.1 and published a security advisory addressing six vulnerabilities affecting versions 12.8.8 Hotfix 1 and earlier, including four critical flaws for unauthenticated RCE and authentication bypass plus two high-severity issues involving access control bypass and hardcoded credentials.
SolarWinds provides a preview release for WHD fixes
As part of remediation efforts, SolarWinds issued a preview release containing fixes ahead of public availability of the final patched version.
SolarWinds confirms the reported WHD vulnerabilities
SolarWinds acknowledged and confirmed the reported Web Help Desk vulnerabilities during the coordinated disclosure process.
Researchers report SolarWinds WHD flaws to PSIRT
Horizon3.ai disclosed vulnerabilities in SolarWinds Web Help Desk to SolarWinds PSIRT, beginning the coordinated disclosure process for what became CVE-2025-40551 and related issues.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
16 references tracked. Mallory keeps watching after this page renders.
170+ SolarWinds Help Desk Installations Vulnerable to RCE Attacks Exposed Online
cybersecuritynews.com
Open sourceCISA Warns of SolarWinds Web Help Desk RCE Vulnerability Exploited in Attacks
cybersecuritynews.com
Open sourceCISA flags critical SolarWinds RCE flaw as exploited in attacks
bleepingcomputer.com
Open sourceSolarWinds Web Help Desk Critical Vulnerabilities: Unauthenticated RCE and Authentication Bypass Fixed in Emergency Patch
rescana.com
Open sourceCVE-2025-40551: SolarWinds WHD RCE | Horizon3.ai
horizon3.ai
Open sourceMultiple Critical SolarWinds Web Help Desk Vulnerabilities: CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, CVE-2025-40554
rapid7.com
Open sourceSolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
bleepingcomputer.com
Open sourceSolarWinds Web Help Desk Hit with Multiple RCE and Auth Bypass Vulnerabilities
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


