Unauthenticated RCE in SolarWinds Web Help Desk Deserialization

Successful exploitation allows unauthenticated remote code execution on the SolarWinds Web Help Desk host, enabling full compromise of the affected server. Reported post-exploitation outcomes in the provided content include arbitrary command execution, deployment of remote management tooling, use of Velociraptor for command-and-control, installation of Cloudflare Tunnel for persistent remote access, disabling of Windows Defender and Windows Firewall, credential dumping including DCSync and NTDS.dit extraction, Active Directory reconnaissance, lateral movement to high-value assets, ransomware deployment, and data exfiltration. For publicly exposed instances, this can result in loss of confidentiality, integrity, and availability and can provide a foothold for broader domain compromise.

If immediate patching is not possible, remove direct internet exposure to SolarWinds Web Help Desk, especially administrative interfaces, by placing the service behind a VPN, firewall, or other access restriction. Increase monitoring for exploitation and post-compromise behaviors associated with WHD, including java.exe spawning cmd.exe or PowerShell, BITS or msiexec retrieving remote payloads, installation of RMM tools, Velociraptor, or cloudflared, registry changes disabling Defender or Firewall, and suspicious scheduled-task creation. Restrict outbound connectivity where feasible, monitor for credential-dumping and Active Directory reconnaissance activity, and treat patching as only preventive for future exploitation, not sufficient to remediate prior compromise.

Upgrade SolarWinds Web Help Desk to version 2026.1 or later, which SolarWinds states remediates CVE-2025-40551. Organizations should urgently patch all affected WHD instances, especially internet-exposed systems. Because the vulnerability has been actively exploited, remediation should also include incident-response validation on previously exposed or vulnerable hosts: review for unauthorized remote access tools such as Zoho ManageEngine Assist/Zoho Assist, Velociraptor, cloudflared, suspicious scheduled tasks such as TPMProfiler, and evidence of credential theft or lateral movement; rotate WHD service, administrator, and any potentially reachable domain credentials; and evict attacker persistence if compromise is suspected.