CVE-2025-40553

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm	Release Notes
https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553	Vendor Advisory
https://github.com/watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553/blob/main/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py

Configurations

Configuration 1 (hide)

cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-01-28 08:16

Updated : 2026-02-26 19:30

NVD link : CVE-2025-40553

Mitre link : CVE-2025-40553

CVE.ORG link : CVE-2025-40553

JSON object : View

Products Affected

solarwinds

web_help_desk

CWE

CWE-502

Deserialization of Untrusted Data

{"id": "CVE-2025-40553", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "psirt@solarwinds.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-01-28T08:16:02.583", "references": [{"url": "https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm", "tags": ["Release Notes"], "source": "psirt@solarwinds.com"}, {"url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553", "tags": ["Vendor Advisory"], "source": "psirt@solarwinds.com"}, {"url": "https://github.com/watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553/blob/main/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "psirt@solarwinds.com", "description": [{"lang": "en", "value": "CWE-502"}]}], "descriptions": [{"lang": "en", "value": "SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication."}, {"lang": "es", "value": "SolarWinds Web Help Desk fue encontrado susceptible a una vulnerabilidad de deserializaci\u00f3n de datos no confiables que podr\u00eda conducir a la ejecuci\u00f3n remota de c\u00f3digo, lo que permitir\u00eda a un atacante ejecutar comandos en la m\u00e1quina anfitriona. Esto podr\u00eda ser explotado sin autenticaci\u00f3n."}], "lastModified": "2026-02-26T19:30:48.297", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F7CADB33-214C-441A-BB62-64811EBBEB29", "versionEndExcluding": "2026.1"}], "operator": "OR"}]}], "sourceIdentifier": "psirt@solarwinds.com"}