January 29, 2026 By Pierluigi Paganini
SolarWinds patched six Web Help Desk vulnerabilities, including four critical flaws exploitable without authentication for RCE or auth bypass.
SolarWinds released security updates to address six Web Help Desk vulnerabilities, including four critical bugs that allow unauthenticated remote code execution or authentication bypass.
The three critical flaws found by watchTowr, and specifically by researcher Piotr Bazydlo, affect SolarWinds Web Help Desk and can be exploited without authentication, exposing affected systems to severe risk.
The first issue, tracked as CVE-2025-40552, is an authentication bypass vulnerability that allows a remote attacker to circumvent access controls and execute actions and methods that should only be available to authenticated users. Exploitation of this flaw could give an attacker broad control over the application.
The second vulnerability, CVE-2025-40553, is caused by the deserialization of untrusted data and can be exploited to achieve remote code execution. Because authentication is not required, an attacker could run arbitrary commands on the underlying host system, potentially leading to a full system compromise.
The third flaw, CVE-2025-40554, is another authentication bypass vulnerability that enables an attacker to invoke specific internal actions within Web Help Desk without proper authorization. While more targeted in scope, successful exploitation could still allow unauthorized access to sensitive functionality and be used as a stepping stone for further attacks.
The fourth critical flaw, tracked as CVE-2025-40551, was found by Jimi Sebree of Horizon3.ai and affects SolarWinds Web Help Desk through the deserialization of untrusted data. This vulnerability allows an unauthenticated attacker to achieve remote code execution, enabling the execution of arbitrary commands on the underlying host system and potentially leading to a complete compromise of the affected server. Due to its impact and lack of authentication requirements, the issue is rated critical (CVSS 9.8).