What is the CVSS score of CVE-2025-40554?

CVE-2025-40554 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 7.8%.

Which versions of Web Help Desk are affected by CVE-2025-40554?

A critical vulnerability (CVSS 9.8) in Web Help Desk enables attackers to execute unauthorized actions within the platform, potentially compromising all helpdesk operations and sensitive data.

Is there a public PoC exploit available for CVE-2025-40554?

Yes, a public proof-of-concept exploit is available for CVE-2025-40554. Prioritise patching immediately. EPSS: 7.8%.

How to fix or mitigate CVE-2025-40554?

Within 24 hours: Identify all Web Help Desk instances in your environment and assess exposure; implement network segmentation to restrict access to trusted IPs only. Within 7 days: Deploy WAF rules to block suspicious action invocation patterns; enable enhanced logging and monitoring for Web Help Desk activity; disable non-essential helpdesk features if operationally feasible. Within 30 days: Establish daily vendor communication cadence for patch availability; evaluate alternative helpdesk solutions as contingency; conduct comprehensive audit of helpdesk access logs for signs of compromise.

Web Help Desk CVE-2025-40554

CRITICAL

Weak Authentication (CWE-1390)

2026-01-28 psirt@solarwinds.com

Authentication Bypass Web Help Desk

9.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.8 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Jan 28, 2026 - 08:16 nvd

CRITICAL 9.8

DescriptionCVE.org

SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk.

AnalysisAI

SolarWinds Web Help Desk has a second authentication bypass (EPSS 7.8%) providing yet another path to unauthenticated admin access.

Technical ContextAI

Another CWE-1390 weak authentication vulnerability in SolarWinds WHD, the fourth critical vulnerability in the series. Two deserialization RCEs and two auth bypasses make the application fundamentally insecure.

RemediationAI

Patch all four vulnerabilities. Consider migrating to an alternative helpdesk solution given the systemic security issues.

CVE-2025-40554 vulnerability details – vuln.today

Back

Web Help Desk CVE-2025-40554

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code