Critical vulnerabilities at SolarWinds Web Help Desk allow remote execution without credentials and demand immediate patch to WHD 2026.1

SolarWinds has published security updates for its Web Help Desk (WHD) product that correct a number of serious failures discovered in the service, including several vulnerabilities that could allow from avoiding authentication controls to running code remotely on affected servers. These corrections come in the version WHD 2026.1, and SolarWinds offers details and patches in its security center and version notes ( advisories and release notes).

The gravity of the set of failures is high: several of the vulnerabilities are rated with CVSS scores close to 9.8, indicating that an attacker could cause significant damage without prior authentication. In particular, some of the weaknesses allow the deserialization of unreliable data, a technique that often derives in remote code execution (CERs) because the software reconstructs malicious objects sent by the attacker and ends up running unintended logic.

External researchers identified and reported these problems. Some of the discoverers come from Horizon3.ai and others from the watchTowr firm; SolarWinds recognizes their contribution in the resolution. For a deeper technical analysis of one of the deerialization failures, the Horizon3.ai report can be consulted, which explains how the AjaxProxy functionality was used as a vector ( Horizon3.ai analysis).

The response teams and security signatures have emphasized that the combination of unsafe deerialization and unauthenticated access greatly increases the risk. Rapid7, for example, has pointed out that the possibility of achieving CERs without the need for credentials makes these vulnerabilities attractive targets for automated attackers and mass campaigns, so it considers the impact to be very high ( Rapid7 analysis).

From a practical point of view, a successful explosion described by researchers involves setting up a valid session to extract certain key values, manipulating internal components of the system to allow file loading and using JSON-RPC bridges to create malicious Java objects that are then triggered to run commands on the system. This sequence turns an apparently logical vulnerability into a way to run arbitrary code on the machine that houses WHD.

It is important to place these findings in context: SolarWinds has previously had vulnerabilities in Web Help Desk that have required successive patches, and in some cases these failures were listed as exploited in the real world. In 2024 several WHD-related CVE received public attention, and some ended up in the catalogue of vulnerabilities exploited by real CISA actors ( Known Exploited Vulnerabilities). SolarWinds also documented previous corrections and cases of patches that needed backup in its own notice repository ( example of previous notice).

For organizations and managers, the recommendation is clear: update to WHD 2026.1 as soon as possible and verify that the updates have been applied correctly. Since several of the vulnerabilities allow exploitation without credentials, delaying the patch increases the likelihood of being targeted for automated scans or targeted attacks. If for any reason it is not possible to update immediately, it is appropriate to restrict access to administrative interfaces, apply firewall rules that limit traffic to the WHD instance, and monitor with priority records and signs of abnormal behavior on the endpoints and servers involved.

In addition to patching, it is prudent to audit the facilities to determine whether a prior intrusion could have occurred: review access logs, search for unexpected processes or files, and check image and binary integrity. EDR tools or network inspections can help identify operating traces and post-operating actions. If suspicious activity is detected, contact the security provider and consider isolating the affected systems until a forensic analysis is completed.

The cycle of vulnerabilities in widely deployed products such as Web Help Desk recalls a basic safety rule: the exposure surface and the presence of functions with dynamic serialization or remote bridges increase the risk if not controlled with validation and strict restrictions. Apply updates, minimize service exposure and active detection are essential practices to reduce that surface and limit the impact of undiscovered failures.

If you want to access the original sources and technical analyses, check the SolarWinds notes and the research team reports linked to this article: the SolarWinds ( security advisers), the notes in version WHD 2026.1 ( release notes), public analysis of Rapid7 ( Rapid7) and the technical research of Horizon3.ai ( Horizon3.ai).

In short, if your organization uses SolarWinds Web Help Desk, don't postpone it: updates to the parcheed version and strengthens the perimeter and detection defenses to mitigate the risk while completing the updating of the facilities.