SolarWinds has released a critical security advisory addressing multiple severe vulnerabilities in its Web Help Desk (WHD) platform that impact versions prior to 2026.1. Among the six issues patched, four carry a CVSS 3.x base score of 9.8 and can be exploited without authentication — including remote code execution (RCE) and authentication bypass bugs. These flaws pose a serious risk to organizations that expose WHD to untrusted networks or the internet.
SolarWinds WHD is a web-based IT service management and help desk solution used widely for ticketing, asset tracking, and service request workflows. The latest patch cycle (WHD 2026.1) addresses a set of high-impact vulnerabilities that could allow attackers to compromise systems, execute arbitrary commands, or bypass authentication controls without valid credentials.
Below are the critical CVEs and their details:
Critical CVEs Fixed in WHD 2026.1
CVE-2025-40551 — Deserialization of Untrusted Data → Remote Code Execution
- Severity: Critical (CVSS 9.8)
- Type: Untrusted Data Deserialization (CWE-502)
- Impact: Allows a remote, unauthenticated attacker to send crafted data that the server improperly deserializes, leading to arbitrary code execution on the WHD host. This gives the attacker full control over the system process running WHD.
- Details: The issue stems from insecure handling of serialized data (e.g., via AjaxProxy), enabling attackers to trigger dangerous object instantiation and execution.
CVE-2025-40552 — Authentication Bypass → Potential RCE or Unauthorized Actions
- Severity: Critical (CVSS 9.8)
- Type: Authentication Bypass (CWE-1390)
- Impact: An attacker can circumvent authentication controls and invoke protected actions or methods that should require valid credentials.
- Details: While nominally an auth bypass issue, its practical impact is extreme: once bypassed, an attacker can often chain this to gain the same effect as remote code execution.
CVE-2025-40553 — Deserialization of Untrusted Data → Remote Code Execution
- Severity: Critical (CVSS 9.8)
- Type: Untrusted Data Deserialization (CWE-502)
- Impact: Similar to CVE-2025-40551, this flaw allows a remote unauthenticated attacker to supply malicious serialized input and force WHD to execute arbitrary code on the host machine.
- Details: Discovered by watchTowr, it highlights persistent unsafe deserialization patterns in WHD’s request handling.
CVE-2025-40554 — Authentication Bypass → Unauthorized Function Invocation
- Severity: Critical (CVSS 9.8)
- Type: Authentication Bypass (CWE-1390)
- Impact: Allows unauthenticated attackers to invoke or execute specific internal functions within the WHD application that should require authentication.
- Details: Like CVE-2025-40552, exploitation can lead to further compromise and elevated access.
Other High-Severity Fixes Included
While the focus is on the four critical bugs above, WHD 2026.1 also fixes:
- CVE-2025-40536 (CVSS 8.1) – Security control bypass: an attacker may access restricted functionality via malformed requests.
- CVE-2025-40537 (CVSS 7.5) – Hard-coded credentials: under certain conditions, default credentials may allow administrative access.
Risk and Impact
Unauthenticated RCE and bypass vulnerabilities are among the most severe in any software product because:
- They do not require valid logins to exploit.
- They can lead to complete server compromise and command execution at system level.
- They drastically expand an attacker’s access footprint, enabling destructive actions, data theft, malware deployment, or full network pivoting.
These issues are particularly urgent for organizations operating WHD instances accessible from public networks or poorly segmented internal networks.
Recommended Action (Priority Patch)
- Apply WHD 2026.1 immediately.
- This release resolves all identified CVEs listed above.
- Restrict WHD exposure.
- Apply firewall rules, VPN access, or network segmentation to limit who can reach the WHD interface.
- Perform vulnerability scanning.
- Validate that no outdated WHD instances remain.
- Implement strong authentication and audit trails.
