CVE-2025-40551

Analyzed

Published: 28 Jan 2026, 07:33

Last modified:26 Feb 2026, 15:04

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

v3.1 (cve.org)

EPSS Score

90.05% CRITICAL

90% probability +0.12%

KEV

Listed

CISA

1 listing

Ransomware

No reports

Public exploits

1 found

Dark Web

Not detected

Timeline

28 Jan 2026, 07:33

Published

Vulnerability first disclosed

03 Feb 2026, 00:00

Added to CISA KEV

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

06 Feb 2026, 00:00

CISA Remediation Due

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

26 Feb 2026, 15:04

Last Modified

Vulnerability information updated

Description

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 90.05%• Percentile: 100%

Techniques & Countermeasures

CWE-502•Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Affected Systems

Unknown•Web Help Desk
< 2026.1 | 12.8.8 HF1 and below