Three Pre-Auth RCE Vulnerabilities Disclosed in SolarWinds Web Help Desk
WatchTowr Labs has disclosed three pre-authentication vulnerabilities in SolarWinds Web Help Desk, including an RCE via deserialization, that allow unauthenticated remote code execution on fully patched instances.
WatchTowr Labs has disclosed three pre-authentication vulnerabilities in SolarWinds Web Help Desk (WHD) that, when chained, allow unauthenticated remote code execution on fully patched instances. The vulnerabilities—CVE-2025-40552 (authentication bypass), CVE-2025-40553 (RCE via deserialization), and CVE-2025-40554 (authentication bypass)—were discovered while researchers attempted to reproduce a previously patched flaw, CVE-2025-26399. SolarWinds has assigned tracking IDs WT-2025-0099 through WT-2025-0101.
The research highlights a troubling pattern of recurring deserialization issues in SolarWinds Web Help Desk. In 2024, CVE-2024-28986 was exploited in the wild and added to CISA's Known Exploited Vulnerabilities catalog. Two more pre-auth deserialization RCEs followed in 2025: CVE-2024-28988 (patched June 2025) and CVE-2025-26399 (patched September 2025). WatchTowr's findings represent yet another bypass of these fixes, underscoring the difficulty of securing the legacy Java WebObjects framework on which WHD is built.
The vulnerabilities stem from the use of the Java WebObjects framework, a technology whose last major release was nearly two decades ago. WatchTowr notes that the framework's age and lack of modern security features make it challenging to secure. The authentication bypasses (CVE-2025-40552 and CVE-2025-40554) allow an attacker to bypass login controls, while the deserialization flaw (CVE-2025-40553) enables remote code execution. The full chain is complex, but a demo video shows exploitation in action.
SolarWinds Web Help Desk is a widely used ticketing and asset management platform, often exposed to the internet and containing sensitive internal data. This makes it an attractive target for attackers. The vulnerabilities affect all versions prior to the patches released by SolarWinds. Users are urged to apply the latest updates immediately.
WatchTowr Labs has published a detailed technical write-up on their blog, including source code analysis and exploitation details. The researchers emphasize that their exploitation path is materially different from previous disclosures, justifying the publication despite the risk of being labeled "me too" research.
This disclosure adds to a growing list of critical vulnerabilities in enterprise help desk software, which has become a prime target for initial access. The recurring nature of these flaws in SolarWinds WHD raises questions about the long-term viability of maintaining legacy frameworks without fundamental architectural changes.