SolarWinds has launched security updates to handle a number of security vulnerabilities impacting SolarWinds Internet Assist Desk, together with 4 crucial vulnerabilities that might lead to authentication bypass and distant code execution (RCE).
The record of vulnerabilities is as follows –
- CVE-2025-40536 (CVSS rating: 8.1) – A security management bypass vulnerability that might enable an unauthenticated attacker to achieve entry to sure restricted performance
- CVE-2025-40537 (CVSS rating: 7.5) – A tough-coded credentials vulnerability that might enable entry to administrative capabilities utilizing the “shopper” consumer account
- CVE-2025-40551 (CVSS rating: 9.8) – An untrusted information deserialization vulnerability that might result in distant code execution, which might enable an unauthenticated attacker to run instructions on the host machine
- CVE-2025-40552 (CVSS rating: 9.8) – An authentication bypass vulnerability that might enable an unauthenticated attacker to execute actions and strategies
- CVE-2025-40553 (CVSS rating: 9.8) – An untrusted information deserialization vulnerability that might result in distant code execution, which might enable an unauthenticated attacker to run instructions on the host machine
- CVE-2025-40554 (CVSS rating: 9.8) – An authentication bypass vulnerability that might enable an attacker to invoke particular actions inside Internet Assist Desk
Whereas Jimi Sebree from Horizon3.ai has been credited with discovering and reporting the primary three vulnerabilities, watchTowr’s Piotr Bazydlo has been acknowledged for the remaining three flaws. All the problems have been addressed in WHD 2026.1.
“Each CVE-2025-40551 and CVE-2025-40553 are crucial deserialization of untrusted information vulnerabilities that enable a distant unauthenticated attacker to attain RCE on a goal system and execute payloads reminiscent of arbitrary OS command execution,” Rapid7 mentioned.
“RCE by way of deserialization is a extremely dependable vector for attackers to leverage, and as these vulnerabilities are exploitable with out authentication, the impression of both of those two vulnerabilities is critical.”
Whereas CVE-2025-40552 and CVE-2025-40554 have been described as authentication bypasses, they is also leveraged to acquire RCE and obtain the identical impression as the opposite two RCE deserialization vulnerabilities, the cybersecurity firm added.
In recent times, SolarWinds has launched fixes to resolve a number of flaws in its Internet Assist Desk software program, together with CVE-2024-28986, CVE-2024-28987, CVE-2024-28988, and CVE-2025-26399. It is value noting that CVE-2025-26399 addresses a patch bypass for CVE-2024-28988, which, in flip, is a patch bypass of CVE-2024-28986.
In late 2024, the U.S. Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2024-28986 and CVE-2024-28987 to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of lively exploitation.
In a submit explaining CVE-2025-40551, Horizon3.ai’s Sebree described it as yet one more deserialization vulnerability stemming from the AjaxProxy performance that might lead to distant code execution. To realize RCE, an attacker wants to hold out the next sequence of actions –
- Set up a legitimate session and extract key values
- Create a LoginPref part
- Set the state of the LoginPref part to permit us to entry the file add
- Use the JSONRPC bridge to create some malicious Java objects behind the scenes
- Set off these malicious Java objects
With flaws in Internet Assist Desk having been weaponized up to now, it is important that clients transfer rapidly to replace to the newest model of the assistance desk and IT service administration platform.
