SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
The application deserializes data supplied by an external user without proper verification of its origin or content (CWE-502). An attacker can prepare a malicious payload and submit it to the vulnerable endpoint without needing an account or session. During the deserialization process, the malicious object is processed by the server, leading to the execution of arbitrary system commands on the host machine.
Attackers gain the ability to remotely execute arbitrary commands on the server (RCE) without authentication, which in practice means complete takeover of the host, including data access, ability to install malicious software, and lateral movement in the network.
The update described in the SolarWinds Web Help Desk 2026-1 release notes, available at the address indicated in the manufacturer's references, should be applied immediately. Additionally, it is recommended to restrict network access to the Web Help Desk interface only to trusted networks or hosts until the patch is deployed.
SolarWinds Web Help Desk — versions indicated in the manufacturer's references (patch available in the version described in WHD 2026-1 release notes)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSolarwinds Web Help Desk
APPSolarwinds< 2026.1
Related vulnerabilities
RCE przez deserializację w SolarWinds Web Help Desk — bez uwierzytelnienia
RCE przez deserializację AjaxProxy w SolarWinds Web Help Desk (nieuwierzytelniony)
SolarWinds Web Help Desk – hardcoded credential umożliwia zdalny dostęp
RCE przez Java Deserialization w SolarWinds Web Help Desk
SolarWinds Web Help Desk — pominięcie uwierzytelnienia (Auth Bypass)