Full Report
SolarWinds has released security updates to address multiple security vulnerabilities impacting SolarWinds Web Help Desk, including four critical vulnerabilities that could result in authentication bypass and remote code execution (RCE). The list of vulnerabilities is as follows - CVE-2025-40536 (CVSS score: 8.1) - A security control bypass vulnerability that could allow an unauthenticated
Analysis Summary
# Vulnerability: Multiple Critical Flaws in SolarWinds Web Help Desk Leading to RCE and Auth Bypass
## CVE Details
- CVE ID: CVE-2025-40536 (CVSS score: 8.1)
- CVE ID: CVE-2025-40537 (CVSS score: 7.5)
- CVE ID: CVE-2025-40551 (CVSS score: 9.8)
- CVE ID: CVE-2025-40552 (CVSS score: 9.8)
- CVE ID: CVE-2025-40553 (CVSS score: 9.8)
- CVE ID: CVE-2025-40554 (CVSS score: 9.8)
- CWE: Not explicitly listed in the summary, but implied vulnerabilities include Control Bypass, Hard-coded Credentials, and Deserialization of Untrusted Data.
## Affected Systems
- Products: SolarWinds Web Help Desk
- Versions: All versions prior to WHD 2026.1
- Configurations: Not specified, but RCE and Auth Bypass vulnerabilities suggest network accessibility is likely required.
## Vulnerability Description
SolarWinds Web Help Desk is affected by multiple vulnerabilities. Four of these are rated Critical (CVSS 9.8):
1. **CVE-2025-40551 & CVE-2025-40553**: Critical deserialization of untrusted data vulnerabilities that allow a remote *unauthenticated* attacker to achieve Remote Code Execution (RCE) and run arbitrary OS commands. Exploitation requires establishing a session, creating a `LoginPref` component, setting its state to allow file upload, using the JSONRPC bridge to create malicious Java objects, and triggering them.
2. **CVE-2025-40552 & CVE-2025-40554**: Authentication bypass vulnerabilities that, while allowing execution of actions/methods, could also be leveraged to obtain RCE similar to the deserialization flaws.
3. **CVE-2025-40536**: A security control bypass allowing an unauthenticated attacker to access restricted functionality.
4. **CVE-2025-40537**: Hard-coded credentials allowing access to administrative functions via the "client" user account.
## Exploitation
- Status: Not explicitly stated as exploited in the wild for these specific CVEs, but RCE via deserialization is described as a "highly reliable vector for attackers." Prior WHD flaws have been actively exploited.
- Complexity: Low (For RCE flaws, as they are exploitable unauthenticated).
- Attack Vector: Network (Implied, especially for RCE).
## Impact
- Confidentiality: High (Likely, especially with RCE allowing file access).
- Integrity: High (RCE allows arbitrary command execution and potential system compromise).
- Availability: High (RCE can lead to denial of service or system destruction).
## Remediation
### Patches
- Apply security updates released by SolarWinds, specifically upgrading to **WHD 2026.1** or later.
### Workarounds
- No specific workarounds were detailed in the provided text, but general principles for deserialization/RCE would include strict ingress filtering on input vectors and network segmentation if immediate patching is impossible.
## Detection
- Indicators of Compromise (IoCs): Specific IoCs were not provided, but endpoint detection systems should monitor for unusual process execution originating from the Web Help Desk application, especially related to file uploads or JSONRPC bridge activity.
- Detection methods and tools: Monitoring network traffic for suspicious payload delivery targeting the deserialization entry points (e.g., JSONRPC calls).
## References
- Vendor Advisories: [https://www.solarwinds.com/trust-center/security-advisories](https://www.solarwinds.com/trust-center/security-advisories)
- Patch/Release Notes: [https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm](https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm)
- Exploit Detail (CVE-2025-40551): hxxps://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/