SOLARWINDS has patched six vulnerabilities in its Web Help Desk product, including four rated critical and addressed with Web Help Desk version 2026.1, released this week.
The four critical flaws include CVE-2025-40551, a high-severity untrusted data deserialization issue that could enable remote code execution without authentication (CVSS 9.8), with exploitation tied to AjaxProxy functionality; CVE-2025-40552 and CVE-2025-40554 described as authentication bypass defects that could allow remote attackers to trigger RCE, and CVE-2025-40553 another untrusted data deserialization flaw that could lead to unauthenticated RCE.
The remaining two high-severity issues are CVE-2025-40536, a security control bypass related to CSRF token verification and request parameter validation, and CVE-2025-40537, a hardcoded credentials bug. Horizon3[.]ai and WatchTowr discovered or reported the critical flaws, with Rapid7 noting the potential RCE risk for the two authentication-bypass defects. None of the six vulnerabilities has been flagged as exploited in the wild, but organisations are urged to update promptly.