SolarWinds is yet again disclosing security vulnerabilities in one of its widely-used products. The company has released updates to patch six critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk (WHD) IT software.
These flaws could allow attackers to bypass authentication, perform remote code execution (RCE), and access certain functionality that should be gated. Of the six, four are rated “critical” (9.8 out of 10 on the CVE severity scale), while the others are “high” (7.5 and 8.1 severity).
Because WHD has been actively exploited in the past, admins are advised to patch their vulnerable servers immediately, by upgrading to Web Help Desk 2026.1.
“We already know what happens if you compromise SolarWinds,” said David Shipley of Beauceron Security. “There’s a massive downstream risk. It’s critical that things are patched, updated, resolved as quickly as possible.”
‘RCE’: The three letters no security leader wants to hear
SolarWinds says it has more than 300,000 customers around the world, including a large portion of the Fortune 500 and major government and defense agencies. The company’s WHD product is popular among these organizations.
The vulnerabilities were discovered by independent researchers from watchTowr and Horizon3.ai. They include:
- Remote code execution and data deserialization vulnerabilities CVE-2025-40551 (critical) and CVE-2025-40553 (critical);
- Authentication and bypass security flaws CVE-2025-40552 (critical), CVE-2025-40554 (critical), CVE-2025-40536 (high), and CVE-2025-40537 (high).
CVE-2025-40551 and CVE-2025-40553 make WHD susceptible to untrusted data deseralization that could allow attackers to run commands on the host machine. The flaw could be exploited without authentication.
The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses which, if exploited, could allow attackers to invoke specific actions within Web Help Desk that should have been automatically protected by authentication.
“Those are three letters you never want to hear: ‘I got RCE’d’,” said Beauceron’s Shipley, noting that data deserialization can expose enterprise secrets. “That’s the worst. You really, really, really don’t want an RCE.”
The four critical bugs are typically very reliable to exploit due to their deserialization and authentication logic flaws, noted Ryan Emmons, security researcher at Rapid7. “For attackers, that’s good news, because it means avoiding lots of bespoke exploit development work like you’d see with other less reliable bug classes.”
Instead, attackers can use a standardized malicious payload across many vulnerable targets, Emmons noted. “If exploitation is successful, the attackers gain full control of the software and all the information stored by it, along with the potential ability to move laterally into other systems.”
Meanwhile, the high-severity vulnerability CVE-2025-40536 would allow threat actors to bypass security controls and gain access to certain functionalities that should be restricted only to authenticated users. Finally, CVE-2025-40537 is a hardcoded credentials vulnerability that, “under certain situations,” could provide access to administrative functions.
How enterprises should respond
SolarWinds provides detailed instructions for upgrading vulnerable servers to Web Help Desk 2026.1. Security teams must be vigilant on this, analysts emphasize.
Emmons advised that the most important things defenders can do right now are upgrade to the latest version on an emergency basis, and investigate any anomalous activity on servers that might have been targeted.
“These are bugs that likely won’t take long to develop weaponized exploits for, so time is of the essence for the best outcome,” he emphasized.
SolarWinds’ troubles just keep going on
These vulnerabilities reflect an unfortunate pattern for SolarWinds, whose WHD has repeatedly been under attack. Most recently, in September, the software company addressed a second patch bypass (CVE-2025-26399) for a WHD RCE flaw that was flagged a year earlier by the Cybersecurity and Infrastructure Security Agency (CISA) as being actively exploited. Also in 2024, the federal agency called out a credential flaw hardcoded into WHD.
“It’s like, ‘not again,’” said Shipley. “Everyone has this visceral, emotional reaction based on what happened to them five years ago.”
Major breaches have a “brand blast radius, a brand half life,” he noted, and this may bring back “past traumas” for IT managers. SolarWinds is familiar to attackers, who realize it is a brand that could pay off.
“It’s all about the rolling impact, the ROI side,” he said. Threat actors understand that they have a narrow attack window, and they want to maximize their chances for data exfiltration or ransom. And, if they’re nation-state state actors, the goal is to create “maximum havoc.”
“It’s a perverse form of brand awareness that you never want,” said Shipley.
While this incident is bad news, the good news is it’s not the same error, he noted. Also, in terms of RCEs, SolarWinds hasn’t been as impacted as Cisco and Fortinet, the latter of which has faced criticism over ‘silent’ patching.
Vendors must get down past the symptom layer and address the root cause of vulnerabilities in programming logic, he said, pointing out, “they plug the hole, but don’t figure out why they keep having holes.”
Ultimately, he said, “this is unsustainably bad for IT managers. We’re hitting the breaking point.” In the US, cybersecurity should be a regulatory priority; while it was an area of focus for the previous administration, there’s been a “complete U-turn” under the current regime.
“The only way out of this mess is to have better code,” Shipley noted. But, “we are now doomed to the legacy code, [plus whatever vibe code adds to the mix]. The levees are going to break soon. We’re going to have our code Katrina moment,” he said.