SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software.
The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks.
Bazydlo also found and reported a critical remote code execution (RCE) flaw (CVE-2025-40553) stemming from an untrusted data deserialization weakness that can enable attackers without privileges to run commands on vulnerable hosts.
A second RCE vulnerability (CVE-2025-40551) reported by Horizon3.ai security researcher Jimi Sebree can also enable unauthenticated attackers to execute commands remotely.
Today, SolarWinds also patched a high-severity hardcoded credentials vulnerability (CVE-2025-40537) discovered by Sebree that, under unspecified circumstances, could grant threat actors with low privileges unauthorized access to administrative functions.
The company provides detailed instructions for upgrading vulnerable servers to Web Help Desk 2026.1, which addresses these security flaws.
Admins are advised to patch their devices as soon as possible, as hackers have frequently exploited Web Help Desk security vulnerabilities in attacks.
For instance, in September, SolarWinds addressed a second patch bypass (CVE-2025-26399) for a WHD RCE flaw that CISA flagged as actively exploited in attacks more than a year earlier, adding it to its catalog of exploited security bugs and ordering federal agencies to secure their systems within three weeks.
At the time, SolarWinds said that the vulnerability was "a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986."
CISA also tagged a critical Web Help Desk hardcoded credentials flaw as actively exploited in October 2024, again asking government agencies to patch their devices.
... continue reading