Alerts

SolarWinds Web Help Desk Hit with Six Critical Vulnerabilities Including Multiple RCE Flaws

Zero Day Wire

1 min read
SolarWinds Web Help Desk Hit with Six Critical Vulnerabilities Including Multiple RCE Flaws

SolarWinds has released an emergency patch for Web Help Desk (WHD), addressing six security vulnerabilities—four rated critical—that could allow unauthenticated attackers to fully compromise host systems.

The flaws, discovered by researchers Jimi Sebree of Horizon3.ai and Piotr Bazydło of watchTowr, include multiple remote code execution vectors, authentication bypasses, and hardcoded credentials.

Critical Vulnerabilities (CVSS 9.8)

CVE-2025-40551 – Deserialization of untrusted data leading to remote code execution. Exploitable without authentication.

CVE-2025-40552 – Authentication bypass allowing attackers to execute protected actions and methods.

CVE-2025-40553 – Second deserialization vulnerability enabling unauthenticated remote code execution.

CVE-2025-40554 – Authentication bypass permitting attackers to invoke specific actions within Web Help Desk.

High Severity Vulnerabilities

CVE-2025-40536 (CVSS 8.1) – Security control bypass allowing unauthenticated access to restricted functionality.

CVE-2025-40537 (CVSS 7.5) – Hardcoded credentials that could grant access to administrative functions under certain conditions.

Why This Matters

SolarWinds products remain high-value targets following the 2020 supply chain compromise that affected thousands of organizations including U.S. government agencies. Web Help Desk is deployed across enterprises for IT service management, making these vulnerabilities particularly dangerous.

The combination of unauthenticated RCE and authentication bypass flaws means attackers can gain full control of WHD servers without any credentials—a worst-case scenario for exposed instances.

Affected Products

  • SolarWinds Web Help Desk (all versions prior to 2026.1)

Remediation

SolarWinds has addressed all six CVEs in WHD version 2026.1, released January 28, 2026. Organizations should:

  1. Update to WHD 2026.1 immediately
  2. Review Web Help Desk access logs for suspicious activity
  3. Ensure WHD instances are not exposed to the internet
  4. Change default admin credentials if not already done
  5. Create new client accounts rather than using built-in demo accounts in production

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire