Security researchers at Horizon3.ai have uncovered a chain of critical vulnerabilities in SolarWinds Web Help Desk (WHD) that allows unauthenticated attackers to execute arbitrary code and seize complete control of vulnerable systems—marking yet another security nightmare for the beleaguered software vendor.
The most severe flaw, tracked as CVE-2025-40551 with a CVSS score of 9.8, stems from unsafe deserialization of untrusted data. When combined with two other vulnerabilities—hardcoded credentials (CVE-2025-40537) and a security control bypass (CVE-2025-40536)—attackers can remotely execute commands on host machines without requiring authentication.
"These vulnerabilities are easily exploitable and enable unauthenticated attackers to achieve remote code execution on vulnerable SolarWinds Web Help Desk instances," warned Jimi Sebree, the Horizon3.ai researcher who discovered the flaws.
This disclosure represents the fourth patch bypass in SolarWinds WHD's ongoing battle with deserialization vulnerabilities.
The original issue, CVE-2024-28986, was added to CISA's Known Exploited Vulnerabilities catalogue in August 2024. Two subsequent bypasses (CVE-2024-28988 and CVE-2025-26399) followed in quick succession, demonstrating the difficulty in properly fixing complex serialisation flaws.
The current attack chain exploits the AjaxProxy functionality and the jabsorb library—a JSON-RPC implementation known for code execution issues when improperly secured.
Attackers can bypass authentication checks by manipulating request URIs and leveraging WebObjects framework quirks to instantiate components that shouldn't be accessible without valid sessions.
Technical details reveal that the vulnerability allows attackers to create malicious Java objects through WHD's JSON-RPC bridge. By including whitelisted terms such as "java" in their payload to bypass blacklist filters and switching request paths from "ajax" to "wo" to evade sanitisation routines, attackers can forge sessions and execute code with NETWORK SERVICE privileges.
SolarWinds has battled credibility issues since the devastating 2020 supply chain attack that compromised thousands of organisations worldwide.
Back in January 2021, Cyber Kendra reported about three serious vulnerabilities in SolarWinds Orion that collectively enabled unauthorised remote code execution via command injection, SQL injection, and authentication bypass—highlighting the company's recurring security challenges.
Immediate Action Required
SolarWinds released WHD version 2026.1 on January 28, 2026, addressing CVE-2025-40551, along with five other critical vulnerabilities discovered by researchers at Horizon3.ai and watchTowr. The update also introduces NextGen WHD with improved security architecture, though several features remain temporarily unavailable.
Organisations should immediately upgrade to version 2026.1 and audit their logs for suspicious activity. Warning signs include JSONRPC errors, whitelisted payload entries containing "java," and unusual requests to "/Helpdesk.woa/wo/*" endpoints with parameters outside the standard whitelist.
The severity of these flaws and SolarWinds' history make this a zero-delay patching situation for any organisation running Web Help Desk.