SolarWinds Fixes Four Unauthenticated RCE Bugs
SolarWinds fixes a series of high-impact flaws in its Web Help Desk platform, releasing a security update that patches six vulnerabilities—four of which attackers could exploit without authentication. These critical issues, identified by researchers from watchTowr and Horizon3.ai, include remote code execution (RCE) risks and authentication bypasses.
Among the flaws, CVE-2025-40552 and CVE-2025-40554 allow access to protected actions without login credentials. CVE-2025-40553 and CVE-2025-40551 involve deserialization of untrusted data, enabling attackers to execute arbitrary commands on affected systems. Horizon3.ai rated CVE-2025-40551 at CVSS 9.8, citing its potential for full system compromise.
The update also addresses two high-severity flaws: one involving static credentials (CVE-2025-40537) and another that bypasses security controls (CVE-2025-40536). Together, these flaws expose major weaknesses in authentication and secure coding practices.
SolarWinds fixes all six vulnerabilities in version 2026.1. Users are urged to apply the update immediately.