SolarWinds released patches for six vulnerabilities in its Web Help Desk product, including four critical flaws that could enable unauthenticated remote code execution via untrusted data deserialization and AjaxProxy bypasses. The defects, discovered by Horizon3.ai and WatchTowr, are fixed in Web Help Desk version 2026.1 and organizations are urged to update immediately despite no known in-the-wild exploitation. #SolarWinds #CVE-2025-40551
Keypoints
- Four critical vulnerabilities in Web Help Desk can lead to unauthenticated remote code execution.
- CVE-2025-40551 is an untrusted data deserialization issue in AjaxProxy that allows RCE by bypassing input sanitization.
- WatchTowr reported three critical bugs, including authentication bypasses that may enable remote attackers to invoke sensitive methods.
- Two high-severity issues include a CSRF/security control bypass (CVE-2025-40536) and hardcoded demo credentials (CVE-2025-40537) that can enable privilege escalation.
- All six vulnerabilities are patched in Web Help Desk 2026.1 and organizations should apply the update promptly.
Read More: https://www.securityweek.com/solarwinds-patches-critical-web-help-desk-vulnerabilities/