CRITICAL🇵🇱 Wersja polska

CVE-2025-40554

CVSS 9.8v3.1pub. 2026-01-28upd. 2026-02-03

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

🤖 AI Analysis
How it works

The vulnerability results from improper user identity verification in the Web Help Desk application. An attacker, operating remotely without authentication and without any interaction from the victim, can trigger specific actions within the system. The attack vector is network-based (AV:N), attack complexity is low (AC:L), meaning exploitation of this vulnerability does not require specialized knowledge or special conditions.

Impact

Successful exploitation of this vulnerability may allow an attacker to perform unauthorized operations in the SolarWinds Web Help Desk system, potentially leading to breaches of confidentiality, integrity, and availability of data managed by the helpdesk system.

Mitigation & patch

Apply patches available from the vendor according to references — update SolarWinds Web Help Desk to the version described in WHD 2026-1 release notes available at: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm

Who is affected

SolarWinds Web Help Desk — specific vulnerable versions indicated in vendor references (WHD 2026-1 release notes and SolarWinds advisory)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Solarwinds Web Help Desk

    APP
    Solarwinds
    < 2026.1
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-40551CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez deserializację w SolarWinds Web Help Desk — bez uwierzytelnienia

CVE-2025-26399CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez deserializację AjaxProxy w SolarWinds Web Help Desk (nieuwierzytelniony)

CVE-2024-28987CRITICAL9.1⚠ KEVPL ✓ten sam produkt

SolarWinds Web Help Desk – hardcoded credential umożliwia zdalny dostęp

CVE-2024-28986CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez Java Deserialization w SolarWinds Web Help Desk

CVE-2025-40552CRITICAL9.8PL ✓ten sam produkt

SolarWinds Web Help Desk — pominięcie uwierzytelnienia (Auth Bypass)