SOLARWINDS patched six Web Help Desk vulnerabilities, including four critical flaws that can be exploited without authentication for remote code execution or to bypass authentication. The four critical issues, tracked as CVE-2025-40552, CVE-2025-40553, CVE-2025-40554 and CVE-2025-40551, were identified by watchTowr and Horizon3[.]ai and could give an attacker broad or unauthenticated access to execute arbitrary commands on the underlying host.
The advisory notes that all four critical flaws have a CVSS score of 9.8, with one deserialization-based RCE and another authentication bypass vulnerability enabling internal actions without proper authorisation. In addition, two high-severity flaws were disclosed: CVE-2025-40536, a security control bypass, and CVE-2025-40537, involving hardcoded credentials.
According to Horizon3[.]ai advisory, SolarWinds has stated that these issues are patched in Web Help Desk version 2026.1, and users are urged to upgrade as soon as possible.