Ddos 
Security researchers have disclosed a barrage of critical vulnerabilities in SolarWinds Web Help Desk (WHD) software. The flaws, ranging from hardcoded credentials to remote code execution (RCE), open the door for unauthenticated attackers to completely compromise host machines.
The discovery, credited to researchers Jimi Sebree of Horizon3.ai and Piotr Bazydlo of watchTowr, highlights a concerning lack of input validation and access control in the IT service management platform.
The most dangerous vulnerabilities in this batch are a pair of Untrusted Data Deserialization flaws, both carrying the maximum CVSS severity score of 9.8.
Tracked as CVE-2025-40551 (found by Sebree) and CVE-2025-40553 (found by Bazydlo), these vulnerabilities allow an attacker to turn malicious data into executing code.
The report warns that CVE-2025-40551 is a “deserialization vulnerability that could lead to remote code execution which would allow an attacker to run commands on the host machine”. Crucially, this attack vector is wide open: “This could be exploited without authentication”.
The platform is also plagued by multiple Authentication Bypass vulnerabilities, which allow attackers to walk right past the login screen.
Researcher Piotr Bazydlo identified CVE-2025-40552 and CVE-2025-40554, both rated Critical (CVSS 9.8). These flaws mean that a malicious actor can “execute actions and methods that should be protected by authentication” without ever having a valid account.
Researcher Jimi Sebree also uncovered CVE-2025-40537, a Hardcoded Credentials vulnerability. Rated as High (CVSS 7.5), this flaw means the software shipped with credentials baked into the code itself.
The analysis notes that this vulnerability, “under certain situations, could allow access to administrative functions,” effectively handing admin keys to anyone who knows where to look.
The security advisory details a total of six significant vulnerabilities:
- CVE-2025-40551 & CVE-2025-40553 (Critical 9.8): Untrusted Data Deserialization leading to unauthenticated RCE.
- CVE-2025-40552 & CVE-2025-40554 (Critical 9.8): Authentication Bypass allowing unauthorized actions.
- CVE-2025-40536 (High 8.8): Security Control Bypass allowing unauthenticated access to restricted functionality.
- CVE-2025-40537 (High 7.5): Hardcoded Credentials allowing access to admin functions.
Administrators running SolarWinds Web Help Desk are urged to apply the latest patches immediately, as the combination of unauthenticated RCE and authentication bypasses makes this a high-priority target for threat actors.
Donate