CVE-2025-40551

SolarWinds Web Help Desk Deserialization of Untrusted Data Remote Code Execution Vulnerability

CVSS 9.8 CRITICALEPSS 84.1%● KEVCWE-502

In short

SolarWinds Web Help Desk can be hacked remotely without a password because it unsafely processes untrusted data, allowing attackers to run commands on the server.

Technical detail

The application deserializes untrusted input without validation (CWE-502), enabling unauthenticated remote code execution via crafted serialized objects. An attacker can exploit this network-accessible vulnerability to achieve arbitrary command execution on the host with the application's privileges.

Summary generated and translated by AI from the official description.

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

SolarWinds · Web Help Desk

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551 https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551