Ravie LakshmananJan 29, 2026Vulnerability / Software program Safety
SolarWinds has launched safety updates to handle a number of safety vulnerabilities impacting SolarWinds Internet Assist Desk, together with 4 vital vulnerabilities that might end in authentication bypass and distant code execution (RCE).
The checklist of vulnerabilities is as follows –
CVE-2025-40536 (CVSS rating: 8.1) – A safety management bypass vulnerability that might permit an unauthenticated attacker to realize entry to sure restricted performance
CVE-2025-40537 (CVSS rating: 7.5) – A tough-coded credentials vulnerability that might permit entry to administrative capabilities utilizing the “shopper” person account
CVE-2025-40551 (CVSS rating: 9.8) – An untrusted knowledge deserialization vulnerability that might result in distant code execution, which might permit an unauthenticated attacker to run instructions on the host machine
CVE-2025-40552 (CVSS rating: 9.8) – An authentication bypass vulnerability that might permit an unauthenticated attacker to execute actions and strategies
CVE-2025-40553 (CVSS rating: 9.8) – An untrusted knowledge deserialization vulnerability that might result in distant code execution, which might permit an unauthenticated attacker to run instructions on the host machine
CVE-2025-40554 (CVSS rating: 9.8) – An authentication bypass vulnerability that might permit an attacker to invoke particular actions inside Internet Assist Desk
Whereas Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the primary three vulnerabilities, watchTowr’s Piotr Bazydlo has been acknowledged for the remaining three flaws. All the problems have been addressed in WHD 2026.1.
“Each CVE-2025-40551 and CVE-2025-40553 are vital deserialization of untrusted knowledge vulnerabilities that permit a distant unauthenticated attacker to realize RCE on a goal system and execute payloads comparable to arbitrary OS command execution,” Rapid7 mentioned.
“RCE through deserialization is a extremely dependable vector for attackers to leverage, and as these vulnerabilities are exploitable with out authentication, the impression of both of those two vulnerabilities is critical.”
Whereas CVE-2025-40552 and CVE-2025-40554 have been described as authentication bypasses, they may be leveraged to acquire RCE and obtain the identical impression as the opposite two RCE deserialization vulnerabilities, the cybersecurity firm added.
In recent times, SolarWinds has launched fixes to resolve a number of flaws in its Internet Assist Desk software program, together with CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. It is value noting that CVE-2025-26399 addresses a patch bypass for CVE-2024-28988, which, in flip, is a patch bypass of CVE-2024-28986.
In late 2024, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
In a put up explaining CVE-2025-40551, Horizon3.ai’s Sebree described it as one more deserialization vulnerability stemming from the AjaxProxy performance that might end in distant code execution. To attain RCE, an attacker wants to hold out the next sequence of actions –
Set up a sound session and extract key values
Create a LoginPref element
Set the state of the LoginPref element to permit us to entry the file add
Use the JSONRPC bridge to create some malicious Java objects behind the scenes
Set off these malicious Java objects
With flaws in Internet Assist Desk having been weaponized prior to now, it is important that prospects transfer rapidly to replace to the most recent model of the assistance desk and IT service administration platform.
