Full Report
Multiple vulnerabilities have been discovered in SolarWinds Web Help Desk, the most severe of which could allow for arbitrary code execution. SolarWinds Web Help Desk (WHD) is a web-based software that provides IT help desk and asset management functionality, allowing IT teams to manage service requests, track IT assets, and offer self-service options to end-users. Successful exploitation of the most severe of these vulnerabilities could allow an actor to execute code in the context of SYSTEM. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis Summary
# Vulnerability: Multiple Severe Flaws in SolarWinds Web Help Desk Leading to RCE
## CVE Details
- CVE ID: CVE-2025-40551, CVE-2025-40553, CVE-2025-40552, CVE-2025-40554, CVE-2025-40536, CVE-2025-40537
- CVSS Score: Not explicitly provided, but severity implies High (The most severe flaw allows SYSTEM-context code execution).
- CWE: Untrusted Deserialization (Relevant to CVE-2025-40551/40553), Authentication Bypass, Security Control Bypass, Hardcoded Credentials.
## Affected Systems
- Products: SolarWinds Web Help Desk (WHD)
- Versions: Versions prior to 2026.1
- Configurations: Vulnerabilities are generally related to public-facing application exploitation.
## Vulnerability Description
Multiple vulnerabilities were identified across SolarWinds Web Help Desk. The most critical issues include:
1. **Untrusted Data Deserialization (CVE-2025-40551, CVE-2025-40553):** This flaw can lead to unauthenticated Remote Code Execution (RCE) allowing an attacker to run commands on the host machine with SYSTEM context.
2. **Authentication Bypass (CVE-2025-40552, CVE-2025-40554):** Allows malicious actors to execute actions and methods that should be protected by authentication.
3. **Security Control Bypass (CVE-2025-40536):** Could allow an unauthenticated attacker to gain access to restricted functionality.
4. **Hardcoded Credentials (CVE-2025-40537):** Can grant access to administrative functions under specific situations.
Successful exploitation of the most severe flaws grants an actor SYSTEM-level execution, enabling them to install software, modify/delete data, or create new user accounts with full rights.
## Exploitation
- Status: Not exploited in the wild (As of advisory date). PoC required to confirm specific RCE mechanism details, but public advisories suggest high exploitability due to RCE capabilities.
- Complexity: Likely Low for RCE flaws targeting public-facing applications.
- Attack Vector: Network (Initial Access Tactic: Exploit Public-Facing Application).
## Impact
- Confidentiality: High (System context access allows viewing all data).
- Integrity: High (Ability to change or delete data, run arbitrary commands).
- Availability: High (Ability to cause service disruption or data loss).
## Remediation
### Patches
- Apply updates provided by SolarWinds to move to **SolarWinds Web Help Desk version 2026.1** or later.
### Workarounds
- No specific workarounds were detailed in the provided context; immediate patching (M1051: Update Software) is the primary recommendation alongside vulnerability management safeguards (7.1, 7.2, 7.4, 7.5, 7.7).
## Detection
- Indicators of compromise (IOCs) are not explicitly defined, but monitoring for unexpected system process execution originating from the WHD service or related network activity corresponding to the Deserialization/RCE payloads would be critical.
- Detection methods should focus on establishing and maintaining a comprehensive Vulnerability Management Process (Safeguard 7).
## References
- Vendor Advisory: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
- CVE Lookups:
- https://www.cve.org/CVERecord?id=CVE-2025-40536
- https://www.cve.org/CVERecord?id=CVE-2025-40537
- https://www.cve.org/CVERecord?id=CVE-2025-40551
- https://www.cve.org/CVERecord?id=CVE-2025-40552
- https://www.cve.org/CVERecord?id=CVE-2025-40553
- https://www.cve.org/CVERecord?id=CVE-2025-40554