SolarWinds Patches Critical Web Help Desk Vulnerabilities

SolarWinds Patches Critical Web Help Desk Vulnerabilities

Briefly

"First in line is CVE-2025-40551 (CVSS score of 9.8), a critical flaw described as an untrusted data deserialization issue that could lead to remote code execution (RCE) without authentication. According to Horizon3.ai, which discovered and reported the defect, CVE-2025-40551 exists in AjaxProxy functionality, where requests destined for other functions are improperly sanitized, and a blocklist function can be bypassed by including allowed terms early in a JSON payload."

"The remaining three critical vulnerabilities, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554 (CVSS score of 9.8), were discovered and reported by WatchTowr. CVE-2025-40553 is another untrusted data deserialization flaw that could lead to unauthenticated RCE, but no technical details have been released. CVE-2025-40552 and CVE-2025-40554 are described as authentication bypass defects that could allow remote attackers to execute or invoke specific actions or methods."

"The remaining two Web Help Desk issues addressed on Wednesday are high-severity vulnerabilities: a security control bypass issue (CVE-2025-40536) and a hardcoded credentials bug (CVE-2025-40537). CVE-2025-40536, the cybersecurity firm explains, exists because a function that verifies CSRF tokens and validates request query parameters can be bypassed via bogus URI parameters to access certain restricted functionality. Successful exploitation of the issue allows an attacker to successfully create a valid AjaxProxy instance,"