CVE-2025-40551 | THREATINT

Description

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

PUBLISHED Reserved 2025-04-16 | Published 2026-01-28 | Updated 2026-02-04 | Assigner SolarWinds

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA Known Exploited Vulnerability

Date added 2026-02-03 | Due date 2026-02-06

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Problem types

CWE-502 Deserialization of Untrusted Data

Product status

Default status

affected

12.8.8 HF1 and below

affected

Credits

Jimi Sebree working with Horizon3.ai reporter

References

www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-40551 government-resource

www.solarwinds.com/...ter/security-advisories/CVE-2025-40551 vendor-advisory patch

documentation.solarwinds.com/...whd_2026-1_release_notes.htm release-notes

cve.org (CVE-2025-40551)

nvd.nist.gov (CVE-2025-40551)

Download JSON