CVE-2025-40536
Analyzed
Published: 28 Jan 2026, 07:30
Last modified:26 Feb 2026, 15:04
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
68.28% CRITICAL
68% probability +0.72%
KEV
Listed
CISA
1 listing
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
28 Jan 2026, 07:30
Published
Vulnerability first disclosed
12 Feb 2026, 00:00
Added to CISA KEV
SolarWinds Web Help Desk Security Control Bypass Vulnerability
15 Feb 2026, 00:00
CISA Remediation Due
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
26 Feb 2026, 15:04
Last Modified
Vulnerability information updated
Description
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
CVSS Metrics
- v3.1•HIGH•Score: 8.1CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 68.28%• Percentile: 99%
Techniques & Countermeasures
- CWE-693•Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Affected Systems
- Unknown•Web Help Desk
< 2026.1 | 12.8.8 HF1 and below
References (4)
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536
- https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
- https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40536