cbcvebase.
CVE-2025-40553
published 2026-01-28

CVE-2025-40553: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
60.39%
99.0th percentile
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindsweb_help_desk< 2026.12026.1
solarwindsweb_help_desk

Detection & IOCsextracted from sources · hover to see the quote

url/helpdesk/WebObjects/Helpdesk.woa
url/helpdesk/WebObjects/Helpdesk.woa/wo/1.2
otherhttp.favicon.hash:"1895809524"
commandwopage=LookAndFeelPref
  • Probe for SolarWinds Web Help Desk by issuing a GET to /helpdesk/WebObjects/Helpdesk.woa and checking the response body contains both 'helpdesk' and 'WebObjects' with HTTP 200.
  • Exploit confirmation: a POST to /helpdesk/WebObjects/Helpdesk.woa/wo/1.2 with body 'wopage=LookAndFeelPref' that returns HTTP 200 and a body containing 'Add File' and 'saveOptions' indicates successful unauthenticated access to a protected page.
  • Use the Shodan favicon hash 1895809524 to identify internet-exposed SolarWinds Web Help Desk instances.
  • CVE-2025-40553 is an unauthenticated untrusted data deserialization vulnerability leading to RCE; no authentication is required to trigger it.
  • ·The Nuclei template shown targets CVE-2025-40552 (authentication bypass); CVE-2025-40553 (deserialization/RCE) shares the same application path prefix but the PoC endpoint/payload for the deserialization vector is not disclosed in the available sources.
  • ·A combined PoC repository covering both CVE-2025-40552 and CVE-2025-40553 exists at the referenced GitHub URL, suggesting the auth-bypass (40552) may be chained with the deserialization RCE (40553).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.