SolarWinds on Wednesday announced patches for six vulnerabilities in the Web Help Desk product, including four critical-severity bugs.
First in line is CVE-2025-40551 (CVSS score of 9.8), a critical flaw described as an untrusted data deserialization issue that could lead to remote code execution (RCE) without authentication.
According to Horizon3.ai, which discovered and reported the defect, CVE-2025-40551 exists in AjaxProxy functionality, where requests destined for other functions are improperly sanitized, and a blocklist function can be bypassed by including allowed terms early in a JSON payload.
The method, Horizon3.ai explains, has been used in the exploitation of CVE-2024-28986 and subsequent bypasses (tracked as CVE-2024-28988 and CVE-2025-26399), which were also rooted in the AjaxProxy functionality.
The remaining three critical vulnerabilities, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554 (CVSS score of 9.8), were discovered and reported by WatchTowr.
CVE-2025-40553 is another untrusted data deserialization flaw that could lead to unauthenticated RCE, but no technical details have been released.
CVE-2025-40552 and CVE-2025-40554 are described as authentication bypass defects that could allow remote attackers to execute or invoke specific actions or methods. The critical severity of the issues suggests that both could be exploited for RCE, Rapid7 notes.
The remaining two Web Help Desk issues addressed on Wednesday are high-severity vulnerabilities: a security control bypass issue (CVE-2025-40536) and a hardcoded credentials bug (CVE-2025-40537). Both were discovered by Horizon3.ai.
CVE-2025-40536, the cybersecurity firm explains, exists because a function that verifies CSRF tokens and validates request query parameters can be bypassed via bogus URI parameters to access certain restricted functionality.
Successful exploitation of the issue allows an attacker to successfully create a valid AjaxProxy instance, which could then be abused to trigger CVE-2025-40551 and achieve RCE, Horizon3.ai says.
CVE-2025-40537, the company notes, exists because, upon initialization, Web Help Desk creates a client account with the default username and password of ‘client’, for demo purposes.
“While this account appears to be limited in its access rights in some production environments, we’ve come across cases where this account is still associated with the default tech account and allows anyone logging in with this ‘client’ user account to switch to the administrator account,” Horizon3.ai explains.
All six vulnerabilities have been addressed with the release of Web Help Desk version 2026.1. Although none of these bugs has been flagged as exploited in the wild, organizations are advised to update their instances as soon as possible.
Related: Fortinet Patches Exploited FortiCloud SSO Authentication Bypass
Related: High-Severity Remote Code Execution Vulnerability Patched in OpenSSL
Related: Microsoft Patches Office Zero-Day Likely Exploited in Targeted Attacks
