{"id":15566,"date":"2026-01-29T03:16:03","date_gmt":"2026-01-29T03:16:03","guid":{"rendered":"https:\/\/newestek.com\/?p=15566"},"modified":"2026-01-29T03:16:03","modified_gmt":"2026-01-29T03:16:03","slug":"solarwinds-again-critical-rce-bugs-reopen-old-wounds-for-enterprise-security-teams","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15566","title":{"rendered":"SolarWinds, again: Critical RCE bugs reopen old wounds for enterprise security teams"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>SolarWinds is yet again disclosing security vulnerabilities in one of its widely-used products.\u00a0The company has released updates to patch six critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk (WHD) IT software.<\/p>\n<p>These flaws could allow attackers to bypass authentication, perform remote code execution (RCE), and access certain functionality that should be gated. Of the six, four are rated \u201ccritical\u201d (9.8 out of 10 on the CVE severity scale), while the others are \u201chigh\u201d (7.5 and 8.1 severity).<\/p>\n<p>Because WHD has been <a href=\"https:\/\/www.csoonline.com\/article\/3567911\/critical-solarwinds-flaw-finds-exploitations-in-the-wild-despite-available-fixes.html\" target=\"_blank\">actively exploited in the past<\/a>, admins are advised to patch their vulnerable servers immediately, by upgrading to Web Help Desk 2026.1.<\/p>\n<p>\u201cWe already know what happens if you compromise SolarWinds,\u201d said <a href=\"https:\/\/www.beauceronsecurity.com\/blog\/tag\/David+Shipley\" target=\"_blank\" rel=\"noreferrer noopener\">David Shipley<\/a> of Beauceron Security. \u201cThere\u2019s a massive downstream risk. It\u2019s critical that things are patched, updated, resolved as quickly as possible.\u201d<\/p>\n<h2 class=\"wp-block-heading\" id=\"rce-the-three-letters-no-security-leader-wants-to-hear\">\u2018RCE\u2019: The three letters no security leader wants to hear<\/h2>\n<p>SolarWinds says it has more than 300,000 customers around the world, including a large portion of the Fortune 500 and major government and defense agencies. The company\u2019s WHD product is popular among these organizations.<\/p>\n<p>The vulnerabilities were discovered by independent researchers from watchTowr and Horizon3.ai. They include:<\/p>\n<ul class=\"wp-block-list\">\n<li>Remote code execution and data deserialization vulnerabilities <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-40551\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-40551<\/a> (critical) and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-40553\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-40553<\/a> (critical);<\/li>\n<li>Authentication and bypass security flaws <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-40552\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-40552<\/a> (critical), <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-40554\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-40554<\/a> (critical), <a href=\"https:\/\/www.cve.org\/CVERecord?id=CVE-2025-40536\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-40536<\/a> (high), and <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-40537\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2025-40537<\/a> (high).<\/li>\n<\/ul>\n<p>CVE-2025-40551 and CVE-2025-40553 make WHD susceptible to untrusted data deseralization that could allow attackers to run commands on the host machine. The flaw could be exploited without authentication.<\/p>\n<p>The other two critical vulnerabilities, CVE-2025-40552 and CVE-2025-40554, are authentication bypasses which, if exploited, could allow attackers to invoke specific actions within Web Help Desk that should have been automatically protected by authentication.<\/p>\n<p>\u201cThose are three letters you never want to hear: \u2018I got RCE\u2019d\u2019,\u201d said Beauceron\u2019s Shipley, noting that data deserialization can expose enterprise secrets. \u201cThat\u2019s the worst. You really, really, really don\u2019t want an RCE.\u201d<\/p>\n<p>The four critical bugs are typically very reliable to exploit due to their deserialization and authentication logic flaws, noted <a href=\"https:\/\/www.rapid7.com\/blog\/author\/ryan-emmons\/\" target=\"_blank\" rel=\"noreferrer noopener\">Ryan Emmons<\/a>, security researcher at Rapid7. \u201cFor attackers, that\u2019s good news, because it means avoiding lots of bespoke exploit development work like you\u2019d see with other less reliable bug classes.\u201d<\/p>\n<p>Instead, attackers can use a standardized malicious payload across many vulnerable targets, Emmons noted. \u201cIf exploitation is successful, the attackers gain full control of the software and all the information stored by it, along with the potential ability to move laterally into other systems.\u201d<\/p>\n<p>Meanwhile, the high-severity vulnerability CVE-2025-40536 would allow threat actors to bypass security controls and gain access to certain functionalities that should be restricted only to authenticated users. Finally, CVE-2025-40537 is a hardcoded credentials vulnerability that, \u201cunder certain situations,\u201d could provide access to administrative functions.<\/p>\n<h2 class=\"wp-block-heading\" id=\"how-enterprises-should-respond\">How enterprises should respond<\/h2>\n<p>SolarWinds provides <a href=\"https:\/\/documentation.solarwinds.com\/en\/success_center\/whd\/content\/release_notes\/whd_2026-1_release_notes.htm#link6\" target=\"_blank\" rel=\"noreferrer noopener\">detailed instructions<\/a> for upgrading vulnerable servers to Web Help Desk 2026.1. Security teams must be vigilant on this, analysts emphasize.<\/p>\n<p>Emmons advised that the most important things defenders can do right now are upgrade to the latest version on an emergency basis, and investigate any anomalous activity on servers that might have been targeted.<\/p>\n<p>\u201cThese are bugs that likely won\u2019t take long to develop weaponized exploits for, so time is of the essence for the best outcome,\u201d he emphasized.<\/p>\n<h2 class=\"wp-block-heading\" id=\"solarwinds-troubles-just-keep-going-on\">SolarWinds\u2019 troubles just keep going on<\/h2>\n<p>These vulnerabilities reflect an unfortunate pattern for SolarWinds, whose WHD has repeatedly been under attack. Most recently, in September, the software company addressed a <a href=\"https:\/\/www.csoonline.com\/article\/4061929\/solarwinds-fixes-web-help-desk-patch-bypass-for-actively-exploited-flaw-again.html\" target=\"_blank\">second patch bypass<\/a> (CVE-2025-26399) for a WHD RCE flaw that was flagged a year earlier by the Cybersecurity and Infrastructure Security Agency (CISA) as being actively exploited. Also in 2024, the federal agency called out a credential flaw hardcoded into WHD.<\/p>\n<p>\u201cIt\u2019s like, \u2018not again,\u2019\u201d said Shipley. \u201cEveryone has this visceral, emotional reaction based on what happened to them <a href=\"https:\/\/www.csoonline.com\/article\/570191\/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html\" target=\"_blank\">five years ago<\/a>.\u201d<\/p>\n<p>Major breaches have a \u201cbrand blast radius, a brand half life,\u201d he noted, and this may bring back \u201cpast traumas\u201d for IT managers. SolarWinds is familiar to attackers, who realize it is a brand that could pay off.<\/p>\n<p>\u201cIt\u2019s all about the rolling impact, the ROI side,\u201d he said. Threat actors understand that they have a narrow attack window, and they want to maximize their chances for data exfiltration or ransom. And, if they\u2019re nation-state state actors, the goal is to create \u201cmaximum havoc.\u201d<\/p>\n<p>\u201cIt\u2019s a perverse form of brand awareness that you never want,\u201d said Shipley.<\/p>\n<p>While this incident is bad news, the good news is it\u2019s not the same error, he noted. Also, in terms of RCEs, SolarWinds hasn\u2019t been as impacted as Cisco and Fortinet, the latter of which has faced criticism over <a href=\"https:\/\/www.csoonline.com\/article\/4093949\/fortinet-criticized-for-silent-patching-after-disclosing-second-zero-day-vulnerability-in-same-equipment.html%5C\" target=\"_blank\">\u2018silent\u2019 patching<\/a>.<\/p>\n<p>Vendors must get down past the symptom layer and address the root cause of vulnerabilities in programming logic, he said, pointing out, \u201cthey plug the hole, but don\u2019t figure out why they keep having holes.\u201d<\/p>\n<p>Ultimately, he said, \u201cthis is unsustainably bad for IT managers. We\u2019re hitting the breaking point.\u201d In the US, cybersecurity should be a regulatory priority; while it was an area of focus for the previous administration, there\u2019s been a \u201ccomplete U-turn\u201d under the current regime.<\/p>\n<p>\u201cThe only way out of this mess is to have better code,\u201d Shipley noted. But, \u201cwe are now doomed to the legacy code, [plus whatever vibe code adds to the mix]. The levees are going to break soon. We\u2019re going to have our code Katrina moment,\u201d he said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>SolarWinds is yet again disclosing security vulnerabilities in one of its widely-used products.\u00a0The company has released updates to patch six critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk (WHD) IT software. These flaws could allow attackers to bypass authentication, perform remote code execution (RCE), and access certain functionality that should be gated. Of the six, four are rated \u201ccritical\u201d (9.8&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15566\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15566","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15566","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15566"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15566\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15566"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15566"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15566"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}