CVE-2025-40553

CRITICAL

Solarwinds Web Help Desk < 2026.1 - Insecure Deserialization

Title source: rule

Description

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

References (3)

[Exploit, Third Party Advisory] https://github.com/watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553/blob/main/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py

View Exploit ZIP pw:eip

[Release Notes] https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm

[Vendor Advisory] https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553

Scores

CVSS v3 9.8

EPSS 0.1185

EPSS Percentile 93.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (1)

solarwinds/web_help_desk < 2026.1

Timeline

Published Jan 28, 2026

Tracked Since Feb 18, 2026