CVE-2025-40551

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm	Release Notes
https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551	Vendor Advisory
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551	US Government Resource

Configurations

Configuration 1 (hide)

cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-28 08:16

Updated : 2026-02-04 02:00

NVD link : CVE-2025-40551

Mitre link : CVE-2025-40551

CVE.ORG link : CVE-2025-40551

JSON object : View

Products Affected

solarwinds

web_help_desk

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-40551", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@solarwinds.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-01-28T08:16:02.273", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm", "tags": ["Release Notes"], "source": "psirt@solarwinds.com"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551", "tags": ["Vendor Advisory"], "source": "psirt@solarwinds.com"}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551", "tags": ["US Government Resource"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "psirt@solarwinds.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication."}, {"lang": "es", "value": "SolarWinds Web Help Desk fue encontrado susceptible a una vulnerabilidad de deserializaci\u00f3n de datos no confiables que podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo, lo que permitir\u00eda a un atacante ejecutar comandos en la m\u00e1quina anfitriona. Esto podr\u00eda ser explotado sin autenticaci\u00f3n."}], "lastModified": "2026-02-04T02:00:02.030", "cisaActionDue": "2026-02-06", "cisaExploitAdd": "2026-02-03", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7CADB33-214C-441A-BB62-64811EBBEB29", "versionEndExcluding": "2026.1"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@solarwinds.com", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability"}