SOLARWINDS has released security updates for Web Help Desk to fix four critical vulnerabilities that could permit unauthenticated remote code execution and authentication bypass.
The flaws include CVE-2025-40551 and CVE-2025-40553, both described as critical deserialization vulnerabilities that could enable RCE, and CVE-2025-40552 and CVE-2025-40554, described as authentication bypasses that could still lead to RCE; CVE-2025-40536 and CVE-2025-40537 are also noted as bypass and hard-coded-credentials issues respectively. CVSS scores for these flaws range from 7.5 to 9.8, underscoring the severity of the fixes in WHD 2026.1, which addresses all six vulnerabilities listed by SolarWinds.
The vulnerabilities were originally reported by Jimi Sebree of Horizon3[.]ai and watchTowr’s Piotr Bazydlo, with Rapid7 describing the deserialization flaws as highly reliable vectors for unauthenticated remote code execution. According to Rapid7, RCE via deserialization is a significant risk when exploitation does not require authentication, emphasising the urgency for customers to update to the latest WHD version.