What is the CVSS score of CVE-2025-40553?

CVE-2025-40553 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 11.9%.

Which versions of Web Help Desk are affected by CVE-2025-40553?

A critical remote code execution vulnerability in SolarWinds Web Help Desk allows unauthenticated attackers to execute arbitrary commands on affected systems.

How to fix or mitigate CVE-2025-40553?

Within 24 hours: Identify all SolarWinds Web Help Desk instances in production and isolate affected systems from untrusted networks. Implement network segmentation and restrict access to administrative interfaces. Within 7 days: Deploy network-based mitigations (WAF rules blocking deserialization payloads), disable remote access features if not business-critical, and enable enhanced logging and monitoring. Within 30 days: Evaluate alternative help desk solutions, prepare for vendor patch deployment, and conduct security assessment of affected systems for signs of compromise.

Web Help Desk CVE-2025-40553

CRITICAL

Deserialization of Untrusted Data (CWE-502)

2026-01-28 psirt@solarwinds.com

RCE Deserialization Web Help Desk

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 28, 2026 - 08:16 nvd

CRITICAL 9.8

DescriptionNVD

SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

AnalysisAI

SolarWinds Web Help Desk has a second deserialization vulnerability (EPSS 11.9%) providing another unauthenticated RCE path alongside CVE-2025-40551.

Technical ContextAI

A separate CWE-502 deserialization vulnerability in SolarWinds WHD, distinct from CVE-2025-40551 but with the same impact: unauthenticated remote code execution through crafted serialized objects.

RemediationAI

Apply patches for all four WHD vulnerabilities.

CVE-2025-40553 vulnerability details – vuln.today

Back

Web Help Desk CVE-2025-40553

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code