SECURITYONLINE [.]info reports a batch of critical vulnerabilities affecting SolarWinds Web Help Desk (WHD), spanning unauthenticated remote code execution and authentication bypass flaws that could let attackers compromise host machines. The most dangerous entries are two untrusted data deserialization flaws, CVE-2025-40551 and CVE-2025-40553, both with a CVSS score of 9.8, capable of turning malicious data into executing code and potentially enabling unauthenticated RCE.
Additional authentication bypass flaws, CVE-2025-40552 and CVE-2025-40554, also carry a 9.8 score, allowing actions normally protected by authentication to be performed without a valid account. Other entries include CVE-2025-40536, a high-severity security control bypass, and CVE-2025-40537, a hardcoded credentials vulnerability that could give access to administrative functions.
The findings, credited to Jimi Sebree of Horizon3[.]ai and Piotr Bazydlo of watchTowr, underscore significant input validation and access-control weaknesses in WHD, prompting administrators to apply the latest patches at once.