CVE-2025-40553 PUBLISHED

SolarWinds Web Help Desk Deserialization of Untrusted Data Remote Code Execution Vulnerability

Assigner: SolarWinds
Reserved: 16.04.2025 Published: 28.01.2026 Updated: 29.01.2026

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	SolarWinds
Product	Web Help Desk
Versions	Default: affected Version 12.8.8 HF1 and below is affected

Solutions

SolarWinds recommends customers upgrade to Web Help Desk version 2026.1.

Credits

Piotr Bazydlo working with watchTowr reporter

References

Problem Types

CWE-502 Deserialization of Untrusted Data CWE

Impacts

CAPEC-586 Object Injection