CVE-2025-40551
Published: 28 January 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-40551 is an untrusted data deserialization vulnerability (CWE-502) affecting SolarWinds Web Help Desk. Published on January 28, 2026, it enables remote code execution (RCE), allowing attackers to run arbitrary commands on the host machine. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its high impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants full control over the affected host, potentially leading to complete system compromise, data theft, or further lateral movement within the environment.
SolarWinds has published mitigation details in their security advisory at https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551 and Web Help Desk 2026.1 release notes at https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm, which include patches addressing the issue. The vulnerability is also listed in CISA's Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551, urging federal agencies to apply mitigations promptly.
Details
- CWE(s)
- KEV Date Added
- See CISA KEV catalog
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Untrusted data deserialization vulnerability in SolarWinds Web Help Desk enables unauthenticated remote code execution over the network in a public-facing web application, directly mapping to T1190: Exploit Public-Facing Application.