SolarWinds released updates for Web Help Desk to patch multiple critical authentication bypass and remote command execution flaws, including CVE-2025-40551 through CVE-2025-40554, plus a high-severity hardcoded credentials issue. Administrators are urged to upgrade to Web Help Desk 2026.1 and apply patches immediately because WHD vulnerabilities have been repeatedly exploited in attacks and flagged by CISA. #SolarWinds #WebHelpDesk
Keypoints
- SolarWinds patched authentication bypass flaws CVE-2025-40552 and CVE-2025-40554 that allow unauthenticated access.
- An untrusted data deserialization RCE (CVE-2025-40553) lets attackers run commands without privileges.
- Horizon3.ai researcher Jimi Sebree reported RCE CVE-2025-40551 enabling unauthenticated remote command execution.
- A high-severity hardcoded credentials flaw (CVE-2025-40537) was fixed, which could grant low-privilege users admin access under certain conditions.
- Admins should upgrade to Web Help Desk 2026.1 immediately because WHD has a history of active exploitation and CISA advisories.