SolarWinds Patches Critical Web Help Desk Vulnerabilities

SolarWinds on Wednesday announced patches for six vulnerabilities in the Web Help Desk product, including four critical-severity bugs.

First in line is CVE-2025-40551 (CVSS score of 9.8), a critical flaw described as an untrusted data deserialization issue that could lead to remote code execution (RCE) without authentication.

According to Horizon3.ai, which discovered and reported the defect, CVE-2025-40551 exists in AjaxProxy functionality, where requests destined for other functions are improperly sanitized, and a blocklist function can be bypassed by including allowed terms early in a JSON payload.

The method, Horizon3.ai explains, has been used in the exploitation of CVE-2024-28986 and subsequent bypasses (tracked as CVE-2024-28988 and CVE-2025-26399), which were also rooted in the AjaxProxy functionality.

The remaining three critical vulnerabilities, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554 (CVSS score of 9.8), were discovered and reported by WatchTowr.

CVE-2025-40553 is another untrusted data deserialization flaw that could lead to unauthenticated RCE ...