Overview
- The update addresses six vulnerabilities, including four critical CVSS 9.8 issues enabling unauthenticated remote code execution or authentication bypass.
- SolarWinds credits Jimi Sebree of Horizon3.ai and Piotr Bazydlo of watchTowr with discovering the flaws, which include unsafe deserialization and AjaxProxy weaknesses.
- CVE-2025-40551 and CVE-2025-40553 allow unauthenticated RCE via deserialization, while CVE-2025-40552 and CVE-2025-40554 enable authentication bypass.
- Two high‑severity issues were also fixed: a security control bypass (CVE-2025-40536) and hardcoded/static credentials tied to a default 'client' account (CVE-2025-40537).
- SolarWinds urges customers to upgrade affected versions (12.8.8 Hotfix 1 and below) to v2026.1 immediately, noting WHD’s prior CVEs were quickly weaponized and flagged by CISA.