CVE-2025-40551

CVSS v2.0

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions SolarWinds Web Help Desk versions prior to 2026.1 SolarWinds Web Help Desk versions 12.8.8 HF1 and earlier

Description SolarWinds Web Help Desk is susceptible to an untrusted data deserialization vulnerability that allows attackers to execute commands on the host machine without authentication. This vulnerability, designated CVE-2025-40551, is actively being exploited and has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. The vulnerability resides in the AjaxProxy component. Over 170 installations are reportedly exposed online. The vulnerability allows for remote code execution (RCE).

Recommendations SolarWinds Web Help Desk versions prior to 2026.1: Update to version 2026.1 immediately. SolarWinds Web Help Desk versions 12.8.8 HF1 and earlier: Update to version 2026.1 immediately.

Fix

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

BDU:2026-00960

CVE-2025-40551

Affected Products

Solarwinds Web Help Desk

CVE-2025-40551

Weakness Enumeration

Related Identifiers

Affected Products

References · 111