"Attackers don't always need 'zero-day' magic when they can just lean on reliable, low-complexity techniques like deserialisation. These flaws get buried in trusted, boring platforms like help desks, and that's exactly why they're so dangerous,"
"easily exploitable"
"Risks like this are often overlooked until Cisa drops a Kev notice. The real headache isn't just the RCE; it's the chaining. Once you've got unauthenticated admin access, you're not just looking at one box, you are now looking at lateral movement and full co"
CVE-2025-40551 is a CWE-502 deserialization flaw in SolarWinds Web Help Desk that permits unauthenticated remote code execution if left unpatched. SolarWinds disclosed five additional high- or critical-severity CVEs affecting authentication bypass, another deserialization-based RCE, access-control bypass, and potential privilege elevation. SolarWinds released Web Help Desk 2026.1 to remediate all six issues. Exploitation in the wild prompted inclusion of CVE-2025-40551 in the U.S. CISA Known Exploited Vulnerabilities catalogue. Unauthenticated administrative access via these flaws enables lateral movement and potential full network compromise, increasing urgency for immediate patching.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]