CVE-2025-40551

SolarWinds Web Help Desk Deserialization Vulnerability

SolarWinds Web Help Desk (WHD) contains a critical unauthenticated deserialization vulnerability that allows remote attackers to achieve remote code execution on vulnerable instances. Tracked as CVE-2025-40551, the issue stems from unsafe handling of attacker-controlled Java objects within AjaxProxy functionality. Successful exploitation enables full compromise of the underlying system, including persistent access and lateral movement into internal management networks.

SolarWinds has confirmed the issues are patched in Web Help Desk version 2026.1. All prior versions should be considered vulnerable and at immediate risk.

What it is and why it matters

CVE-2025-40551 is reachable without authentication by chaining multiple weaknesses in SolarWinds Web Help Desk. An attacker can bypass request-filter protections to access restricted WebObjects components, tracked as CVE-2025-40536. In some environments, static credentials created during initialization, tracked as CVE-2025-40537, may further simplify access to authenticated functionality. These weaknesses allow attackers to reach AjaxProxy components and trigger unsafe Java deserialization, resulting in remote code execution.

Stop Guessing, Start Proving

NodeZero attack path visualization showing exploitation flow leading to remote code execution in SolarWinds Web Help Desk
Run a Test Now

This vulnerability follows a familiar pattern in Web Help Desk. Previous fixes for AjaxProxy deserialization issues were bypassed multiple times, including CVE-2024-28986, CVE-2024-28988, and CVE-2025-26399. CVE-2025-40551 demonstrates that attackers can still reliably reach dangerous code paths without authentication, despite multiple remediation attempts.

Because Web Help Desk is commonly deployed as an internal IT management system, compromise has an outsized impact. Successful exploitation gives attackers access to IT workflows, credentials, configuration data, and systems used for identity and access administration. In practice, Web Help Desk often becomes a pivot point for broader compromise of internal management and directory services.

NodeZero® Offensive Security Platform — Rapid Response

The SolarWinds Web Help Desk Rapid Response test (CVE-2025-40551), released January 28, 2026, enables customers to safely verify whether Web Help Desk instances are exploitable to the unauthenticated deserialization vulnerability and therefore susceptible to full system compromise, and to confirm remediation.

  • Run the Rapid Response test — run the SolarWinds Web Help Desk — CVE-2025-40551 Rapid Response test from the customer portal to assess both internet-facing and internal WHD instances for unauthenticated remote code execution exposure.
  • Patch immediately — upgrade SolarWinds Web Help Desk to version 2026.1 or later. No effective workarounds are available for vulnerable versions, and delaying patching leaves systems exposed to full compromise.
  • Re-run the Rapid Response test — after upgrading, re-run the SolarWinds Web Help Desk Rapid Response test to confirm that the deserialization path is no longer exploitable.

If the Rapid Response test confirms exploitability, treat the system as compromised. Collect forensic artifacts, including WHD application logs, JSONRPC or AjaxProxy error logs, and access logs showing suspicious requests to Helpdesk.woa endpoints. Isolate affected systems, investigate for persistence or lateral movement, and engage your incident response team immediately.

Indicators of compromise (for hunting)

Web Help Desk log files are typically located in the application’s log directory unless otherwise configured.

IndicatorSourceWhat to look for
Default client account loginWHD session logsAuthentication events involving the default client account, including log entries showing eventType=[login] with username=[client].
JSONRPC / AjaxProxy errorsWHD application logsErrors or unusual activity related to JSONRPC or AjaxProxy processing, including org.jabsorb.JSONRPCBridge exceptions.
Whitelisted payload manipulationWHD application logsLog entries referencing whitelisted payloads that include Java object manipulation or unexpected JSONRPC method calls.
Suspicious WebObjects requestsWHD access logsRequests to /Helpdesk.woa/wo/* endpoints with unexpected or unusual query parameters.
Ajax whitelist bypass attemptsWHD access logsRequests containing query parameters with the string /ajax/, which may indicate attempts to bypass request-filter protections.

Any confirmed indicators should be treated as evidence of full system compromise and investigated accordingly.

Affected versions & patch

All SolarWinds Web Help Desk versions prior to 2026.1 are affected.

SolarWinds has released fixes in Web Help Desk version 2026.1. Organizations should assume exploitation is possible wherever vulnerable versions are reachable, even if the service is believed to be internally scoped or not intentionally exposed to the internet.

Timeline (key)

December 5, 2025 — Horizon3.ai discloses the issues to SolarWinds PSIRT
December 12, 2025 — SolarWinds confirms report validity
January 21, 2026 — SolarWinds provides a preview release
January 28, 2026 — SolarWinds releases patches publicly

References

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By