theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2025-40551

CISA KEV

Published February 3, 2026 · Updated April 3, 2026

high

What This Means

## CVE-2025-40551: SolarWinds Web Help Desk Unauthenticated RCE **What it is:** SolarWinds Web Help Desk accepts and deserializes untrusted data without validation, allowing unauthenticated attackers to inject malicious serialized objects and execute arbitrary code on the server. **Impact:** An attacker can gain complete command execution on any Web Help Desk instance exposed to the network, leading to full system compromise, lateral movement, and data exfiltration—no credentials required. **Action:** Immediately inventory all Web Help Desk deployments. Apply SolarWinds patches when available. Restrict network access to Web Help Desk instances using firewall rules or network segmentation until patching is complete. Monitor for POST requests to deserialization endpoints and unusual process execution from the Web Help Desk application process.

Official Description+

SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

Affected Products

VendorProduct
SolarWindsWeb Help Desk

Patch Status

Patch by 2026-02-06

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2025-40551.

Related Coverage

Vvulnerability

CVE-2025-40551: Unauthenticated RCE Flaw in SolarWinds Web Help Desk Demands Immediate Patching

CVE-2025-40551 is a critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk, caused by improper deserialization of untrusted data. An attacker with network access can send a malicious serialized payload to execute arbitrary commands on the host without any credentials. CISA has added the flaw to its Known Exploited Vulnerabilities catalog with a federal patch deadline of February 6, 2026.

CISA KEV·59d ago·3 min read