CVE-2021-35243
CVE-2021-35243 is a medium-severity vulnerability in Solarwinds Web Help Desk with a CVSS 3.x base score of 5.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-749.
Key facts
- Severity: Medium (CVSS 3.x base score 5.3)
- CVSS v2: 5.0
- EPSS exploit prediction: 1% (55th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-749
- Affected product: Solarwinds Web Help Desk
- Published:
- Last modified:
Description
The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity.
Frequently asked questions
- What is CVE-2021-35243?
- The HTTP PUT and DELETE methods were enabled in the Web Help Desk web server (12.7.7 and earlier), allowing users to execute dangerous HTTP requests. The HTTP PUT method is normally used to upload data that is saved on the server with a user-supplied URL. While the DELETE method requests that the origin server removes the association between the target resource and its current functionality. Improper use of these methods may lead to a loss of integrity.
- How severe is CVE-2021-35243?
- CVE-2021-35243 has a CVSS 3.x base score of 5.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity low, and availability none.
- Is CVE-2021-35243 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (55th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-35243?
- CVE-2021-35243 affects Solarwinds Web Help Desk. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2021-35243?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2021-35243 published?
- CVE-2021-35243 was published on 2021-12-23 and last updated on 2026-06-17.
References
- https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US
- https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243
Affected products (1)
- cpe:2.3:a:solarwinds:web_help_desk:*:*:*:*:*:*:*:*
More vulnerabilities in Solarwinds Web Help Desk
- CVE-2025-40554 — Critical (CVSS 9.8): SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited,…
- CVE-2025-40553 — Critical (CVSS 9.8): SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead…
- CVE-2025-40552 — Critical (CVSS 9.8): SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would…
- CVE-2025-40551 — Critical (CVSS 9.8): SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead…
- CVE-2025-26399 — Critical (CVSS 9.8): SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code…
- CVE-2024-28988 — Critical (CVSS 9.8): SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability…
All CVEs affecting Solarwinds Web Help Desk →
Other CWE-749 vulnerabilities
- CVE-2023-40151 — Critical (CVSS 10.0): When user authentication is not enabled the shell can execute commands with the highest privileges. Red Lion SixTRAK…
- CVE-2026-55454 — Critical (CVSS 9.9): Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy…
- CVE-2026-30957 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors…
- CVE-2026-30921 — Critical (CVSS 9.9): OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors…
- CVE-2019-18342 — Critical (CVSS 9.9): A vulnerability has been identified in Control Center Server (CCS) (All versions < V1.5.0). The SFTP service (default…
- CVE-2025-59403 — Critical (CVSS 9.8): The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks…