MDR
Solutions
Partners
About
Resources
Multiple critical vulnerabilities have been identified in SolarWinds Web Help Desk (WHD), a web-based IT service management and asset tracking platform. The most severe issues allow unauthenticated remote code execution with SYSTEM-level privileges, potentially resulting in full system compromise. Affected systems include all versions of SolarWinds Web Help Desk prior to 2026.1. Successful exploitation could allow attackers to install programs, create privileged accounts, modify or delete data, and pivot to other systems within the environment.
CVE
CVE-2025-40551
CVE-2025-40553
CVE-2025-40552
CVE-2025-40554
CVE-2025-40536
CVE-2025-40537
Targeting / Delivery Mechanism
The vulnerabilities are exploitable via the web-based interface and align with Initial Access through exploitation of a public-facing application (T1190). Internet-exposed WHD deployments are at highest risk. Certain vulnerabilities require no authentication, significantly lowering the barrier to exploitation.
Execution Technique
The most critical flaws involve untrusted data deserialization leading to unauthenticated remote code execution. Additional vulnerabilities include authentication bypass, security control bypass, and hardcoded credential exposure. Combined, these issues can allow attackers to execute arbitrary commands and escalate privileges to SYSTEM.
Persistence / Deployment
Once SYSTEM access is achieved, attackers may deploy web shells, install backdoors, create administrative accounts, disable security controls, or use the compromised host for lateral movement.
Operational Impact
Risk is High across government and business entities of all sizes. Successful exploitation enables full host compromise, data manipulation, credential theft, service disruption, and potential enterprise-wide lateral movement. Because WHD often integrates with directory services and internal systems, compromise may extend beyond the initial server.
Validate Integrity
Identify SolarWinds Web Help Desk deployments and confirm upgrade status. Any version prior to 2026.1 is vulnerable. Review logs for suspicious authentication activity, abnormal administrative actions, unexpected process execution, or unusual outbound connections. Prioritise systems exposed to the internet or accessible from untrusted networks.
Respond to Confirmed Compromise
Immediately isolate affected servers. Upgrade to version 2026.1 or later. Conduct forensic analysis for web shells, new administrative accounts, modified services, and scheduled tasks. Reset all associated credentials, particularly service and domain accounts, and rebuild systems if integrity cannot be assured.
Strengthen Preventative Controls
Apply vendor updates following appropriate testing. Restrict internet exposure of WHD instances and place management interfaces behind VPN or access controls. Enforce least privilege for service accounts and implement continuous vulnerability scanning and segmentation to reduce exposure.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)