Untrusted Data Deserialization Vulnerability in SolarWinds Web Help Desk
CVE-2025-40551

9.8CRITICAL

Key Information:

Vendor

Solarwinds
Status
Web Help Desk
Vendor
CVE Published:
28 January 2026

Badges

πŸ‘Ύ Exploit Exists🟣 EPSS 22%πŸ¦… CISA ReportedπŸ“° News Worthy

What is CVE-2025-40551?

SolarWinds Web Help Desk is vulnerable to an untrusted data deserialization flaw that could permit remote code execution. This weakness can be exploited by attackers to execute arbitrary commands on the affected host without requiring authentication, leading to significant security risks for organizations using this software. It is crucial for users to apply security patches and updates to safeguard their systems from potential attacks.

CISA has reported CVE-2025-40551

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-40551 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Web Help Desk 12.8.8 HF1 and below

News Articles

favicon imageThe Hacker News

CISA Adds Actively Exploited SolarWinds Web Help Desk RCE to KEV Catalog

CISA adds an actively exploited SolarWinds Web Help Desk RCE flaw to KEV, ordering federal agencies to patch by February 2026.

4 days ago

favicon imageBleepingComputer

CISA flags critical SolarWinds RCE flaw as exploited in attacks

CISA has flagged a critical SolarWinds Web Help Desk vulnerability as actively exploited in attacks and ordered federal agencies to patch their systems within three days.

4 days ago

References

https://www.solarwinds.com/trust-center/security-advisori...
vendor-advisorypatch
https://documentation.solarwinds.com/en/success_center/wh...
release-notes

EPSS Score

22% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • πŸ‘Ύ

    Exploit known to exist

  • πŸ¦…

    CISA Reported

  • πŸ“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jimi Sebree working with Horizon3.ai
JSON
.