CRITICAL🇵🇱 Wersja polska

CVE-2025-40552

CVSS 9.8v3.1pub. 2026-01-28upd. 2026-02-26

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication.

🤖 AI Analysis
How it works

The vulnerability classified as CWE-1390 (Weak Authentication) involves insufficient verification of user identity before performing protected operations in the application. An attacker, remotely and without possessing any credentials, can send crafted requests to application endpoints and bypass authentication mechanisms. This allows access to functions and methods that should be available only to logged-in and authorized users. The attack vector is network-based, requires no user interaction or special preconditions.

Impact

An attacker can perform arbitrary protected actions and methods of the application without authentication, which may lead to complete system takeover, disclosure of sensitive data, modification of configuration, or disruption of service availability.

Mitigation & patch

SolarWinds Web Help Desk should be updated to version 2026.1 or later in accordance with information in the vendor's release notes and recommendations published in the SolarWinds security center at the address indicated in the references.

Who is affected

SolarWinds Web Help Desk — versions indicated in vendor references (patches available in WHD 2026.1 release)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Solarwinds Web Help Desk

    APP
    Solarwinds
    < 2026.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-40551CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez deserializację w SolarWinds Web Help Desk — bez uwierzytelnienia

CVE-2025-26399CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez deserializację AjaxProxy w SolarWinds Web Help Desk (nieuwierzytelniony)

CVE-2024-28987CRITICAL9.1⚠ KEVPL ✓ten sam produkt

SolarWinds Web Help Desk – hardcoded credential umożliwia zdalny dostęp

CVE-2024-28986CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez Java Deserialization w SolarWinds Web Help Desk

CVE-2025-40553CRITICAL9.8PL ✓ten sam produkt

SolarWinds Web Help Desk — zdalne wykonanie kodu przez niebezpieczną deserializację