High

Hardcoded Credentials in SolarWinds Web Help Desk

IdentifiersCVE-2025-40537CWE-798· Use of Hard-coded Credentials

CVE-2025-40537 is a high-severity vulnerability in SolarWinds Web Help Desk (WHD) caused by the use of hardcoded or static credentials. The available reporting states that WHD may initialize a default "client" account with username "client" and password "client," and that under certain conditions this can provide access to administrative functions or enable privilege elevation. Multiple sources describe the issue as a hardcoded credentials vulnerability affecting WHD versions prior to 2026.1, including 12.8.8 Hotfix 1 and below. Some technical reporting further indicates that in certain environments the default client account may be associated with a default technician account, allowing switching into an administrator context. The vulnerability was discovered by Jimi Sebree and patched by SolarWinds in Web Help Desk version 2026.1.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can provide unauthorized access to administrative functionality within SolarWinds Web Help Desk. Depending on deployment conditions and account associations, this may allow privilege escalation from a low-privileged or default account into an administrator context, exposing ticketing data, asset information, configuration data, and other application-managed information. Because WHD is commonly deployed as an internal IT management platform, administrative access could also facilitate broader operational abuse and serve as a stepping stone for further compromise.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable or remove the default client account and any other demo or initialization accounts, enforce strong unique credentials for all local accounts, restrict exposure of the WHD interface to trusted networks, and monitor WHD logs for logins involving the default client account. Review session and access logs for suspicious authentication events and unexpected access to administrative functions. Network segmentation and least-privilege controls can reduce exposure while patching is pending, but no complete workaround is documented in the provided content.

Remediation

Patch, then assume compromise.

Upgrade SolarWinds Web Help Desk to version 2026.1, which SolarWinds states fixes CVE-2025-40537. Apply the vendor update to all affected WHD instances, including versions prior to 2026.1 and specifically 12.8.8 Hotfix 1 and below where referenced. After upgrading, verify that any default or demo accounts are removed, disabled, or no longer usable, and review administrative account mappings and role assignments for unintended privilege relationships.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

SolarWindsWeb Help Deskapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

blackpoint cyberNews

Feb 11, 2026

Vulnerability Review - January 2026 - Blackpoint

Hardcoded credentials vulnerability in SolarWinds Web Help Desk patched alongside CVE-2025-40551.

the hacker newsNews

Feb 4, 2026

CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog

A vulnerability in SolarWinds Web Help Desk fixed in version 2026.1; no further technical details are provided in the content.

computerweeklyNews

Feb 4, 2026

SolarWinds RCE bug makes Cisa list as exploitation spreads | Computer Weekly

A privilege elevation vulnerability affecting SolarWinds Web Help Desk.

bleeping computerNews

Feb 3, 2026

CISA flags critical SolarWinds RCE flaw as exploited in attacks

A high-severity hardcoded-credentials vulnerability in SolarWinds Web Help Desk that is remotely exploitable.

+10 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity7

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-40537

NVD

nvd.nist.gov/vuln/detail/CVE-2025-40537

MITRE CWE · CWE-798

Use of Hard-coded Credentials

Vendor Advisory

solarwinds.com/trust-center/security-advisories/CVE-2025-40537

Release Notes

documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm