CyberLeveling Logo
SolarWinds Web Help Desk Vulnerabilities

SolarWinds Web Help Desk Vulnerabilities: January 2026 Disclosure Explained

Executive Summary

In late January 2026, SolarWinds disclosed and patched a set of critical security vulnerabilities affecting its Web Help Desk (WHD) product. Several of these flaws enable unauthenticated remote code execution (RCE) or authentication bypass, placing unpatched and internet-exposed systems at high risk of full compromise.

A frequent source of confusion is that these vulnerabilities are tracked using CVE identifiers beginning with “2025”, even though they were publicly disclosed in January 2026. This blog post explains:

  • Which specific CVEs were involved
  • What technical impact they have
  • When they were disclosed and patched
  • Why the CVE year does not match the disclosure year
  • What organizations should do next

Affected Product

SolarWinds Web Help Desk

All versions prior to 2026.1 are affected

Version 2026.1 contains fixes for all vulnerabilities discussed below

The Disclosed CVEs (Full List)

🔴 Critical Remote Code Execution (RCE)

CVE-2025-40551

  • Type: Untrusted data deserialization (CWE-502)
  • Impact: Unauthenticated remote code execution
  • CVSS v3.1: 9.8 (Critical)
  • Details: An attacker can send crafted data that is deserialized without proper validation, leading to arbitrary code execution on the server.

CVE-2025-40553

  • Type: Untrusted data deserialization
  • Impact: Unauthenticated remote code execution
  • CVSS v3.1: 9.8 (Critical)
  • Details: A second, distinct deserialization flaw affecting a different execution path, also resulting in full system compromise.

🔴 Critical Authentication Bypass

CVE-2025-40552

  • Type: Authentication bypass
  • Impact: Unauthorized access to restricted functionality
  • CVSS v3.1: 9.8 (Critical)
  • Details: Allows attackers to invoke application methods without valid authentication, bypassing access controls entirely.

CVE-2025-40554

  • Type: Authentication bypass (variant)
  • Impact: Unauthorized access and method invocation
  • CVSS v3.1: 9.8 (Critical)
  • Details: A separate authentication logic flaw that can be chained with RCE vulnerabilities for rapid exploitation.

🟠 High-Severity Supporting Vulnerabilities

CVE-2025-40536

  • Type: Security control bypass
  • Severity: High
  • Details: Enables attackers to bypass certain security mechanisms, weakening enforcement of authorization boundaries.

CVE-2025-40537

  • Type: Hard-coded credentials
  • Severity: High
  • Details: A default credential condition that could allow unauthorized access in specific configurations if not remediated.

Why These Vulnerabilities Are Especially Dangerous

Individually, these vulnerabilities are serious. Combined, they are extremely dangerous:

  • Authentication bypass removes the need for credentials
  • Deserialization flaws enable arbitrary code execution
  • Attackers can move from unauthenticated access → full system compromise in a single chain

Web Help Desk systems often have:

  • Access to internal networks
  • Service accounts
  • Database credentials
  • Ticketing and user data

This makes Web Help Desk a high-value target.

Disclosure Timeline (January 2026)

January 28, 2026

  • CVE records were published in vulnerability databases
  • Public security reporting began

January 29, 2026

  • SolarWinds released Web Help Desk 2026.1
  • Official fixes became available

Disclosure and patch release occurred in close coordination, limiting—but not eliminating—risk.

Why the CVEs Say “2025” Instead of “2026”

This is a common misunderstanding.

CVE Year = Assignment Year, Not Disclosure Year

CVE identifiers reflect when the CVE ID was assigned or reserved. They do not necessarily reflect:

  • Public disclosure date
  • Patch release date

What Likely Happened Here

  • Vulnerabilities were reported and validated during 2025
  • CVE IDs were reserved in 2025
  • Engineering, testing, and coordinated disclosure extended into early 2026
  • Public disclosure occurred only once fixes were ready

Once assigned, CVE IDs never change years, even if disclosure happens later. This behavior is normal and expected within the CVE system.

What Organizations Should Do Now

Immediate Actions

  • Upgrade to SolarWinds Web Help Desk 2026.1 immediately
  • Treat any exposed or internet-reachable WHD instance as high risk
  • Review:
    • Application logs
    • Authentication attempts
    • Unusual process execution
    • Unexpected outbound network connections

Defensive Best Practices

  • Restrict Web Help Desk access behind VPN or internal networks
  • Minimize service account privileges
  • Monitor for deserialization exploitation patterns
  • Maintain an asset inventory of externally accessible management tools

Key Takeaways

  • Multiple critical vulnerabilities affected SolarWinds Web Help Desk
  • Four CVEs (40551–40554) allow unauthenticated compromise
  • CVE year reflects assignment, not disclosure
  • Patch availability does not eliminate risk if exploitation occurred before updating
  • Administrative and IT tools must be treated as Tier-1 security assets