WPM 2025.4.1 release notes
Release date: November 18, 2025
Here's what's new in WPM 2025.4.1. You can find the applicable system requirements here.
To view release notes, system requirements, and product guide PDFs for supported versions of WPM, see WPM previous versions. To view release notes for multiple versions
WPM runs on the SolarWinds Platform (self-hosted). WPM release notes include the updates from the SolarWinds Platform (self-hosted).
New features and improvements in WPM
There were no features or improvements added for WPM in this release.
New features and improvements in SolarWinds Platform
Cloud Discovery in Settings
You can now discover and edit your cloud infrastructure directly from the Settings menu. Click Settings > Cloud Discovery to begin.
Fixed CVEs
At SolarWinds, we prioritize the swift resolution of CVEs to ensure the security and integrity of our software. In this release, we have successfully addressed the following CVEs.
SolarWinds CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2025-40545 | SolarWinds Observability Self-Hosted Open Redirection Vulnerability | SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required. | 4.8 Medium | Frédéric Goossens |
| CVE-2025-26391 | SolarWinds Observability Self-Hosted XSS Vulnerability | SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. | 5.4 Medium | The KPN REDteam |
Third-party CVEs
| CVE-ID | Vulnerability title | Description | Severity |
|---|---|---|---|
| CVE-2024-13009 | Eclipse Jetty Information Disclosure | In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. | 7.2 High |
| CVE-2024-12798 | Logback-core Expression Language Injection vulnerability | ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege | 5.9 Medium |
| CVE-2024-12801 | Logback-core Server-Side Request Forgery | Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. | 2.4 Low |
| CVE-2024-47072 | Xstream Denial of Service Vulnerability | XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. | 7.5 Medium |
| CVE-2024-6763 | Eclipse Jetty Server-Side Request Forgery | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks. | 3.7 Low |
| CVE-2024-8184 | Eclipse Jetty Denial of Service Vulnerability | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. | 5.9 Medium |
Fixed customer issues
| Case number | Description | Platform product |
|---|---|---|
| 01995892 | An issue has been fixed that caused an agent's status to be reported incorrectly after the agent reconnected. | Platform |
| 02021525 | When you create a custom report that includes a SAM chart such as User and Computer Events on the Node, editing a time period (such as the Default zoom range) no longer causes previews to fail with the following error:
|
Platform |
| 00743703, 00972181 | Host header verification has been implemented to prevent host header attacks. | Platform |
Installation or upgrade
For new SolarWinds Platform deployments, download the installation file from the product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Get the installer.
To activate your product in an existing SolarWinds Platform deployment, use the License Manager.
For upgrades, go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).
For more information, see the SolarWinds Platform Product Installation and Upgrade Guide.
For supported upgrade paths, see Upgrade an existing deployment.
End of life
| Version | EoL announcement | EoE effective date | EoL effective date |
|---|---|---|---|
| 2023.4 | October 21, 2025: End-of-Life (EoL) announcement – Customers on WPM version 2023.4 or earlier should begin transitioning to the latest version of WPM. | November 20, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for WPM version 2023.4 or earlier will no longer actively be supported by SolarWinds. | November 20, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for WPM version 2023.4. |
| 2023.3 | October 21, 2025: End-of-Life (EoL) announcement – Customers on WPM version 2023.3 or earlier should begin transitioning to the latest version of WPM. | November 20, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for WPM version 2023.3 or earlier will no longer actively be supported by SolarWinds. | November 20, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for WPM version 2023.3. |
| 2023.2 | June 10, 2025: End-of-Life (EoL) announcement – Customers on WPM version 2023.2 or earlier should begin transitioning to the latest version of WPM. | July 10, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for WPM version 2023.2 or earlier will no longer actively be supported by SolarWinds. | July 10, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for WPM version 2023.2. |
| 2023.1 | February 11, 2025: End-of-Life (EoL) announcement – Customers on WPM version 2023.1 or earlier should begin transitioning to the latest version of WPM. | March 13, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for WPM version 2023.1 or earlier will no longer actively be supported by SolarWinds. | March 13, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for WPM version 2023.1. |
See the End of Life Policy for information about SolarWinds product life cycle phases. To see EoL dates for earlier WPM versions, see WPM release history.
Deprecation notice
The following platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features.
SQL Server 2016
SQL Server 2016 is deprecated as of 2025.2. It is still available and supported in the current release, but will be removed in a future release. Consider using SQL Server 2017 or later.
Network Atlas
Network Atlas is deprecated as of Orion Platform 2020.2. It is still available and supported in the current release, but will be removed in a future release. Deprecation is an indication that you should avoid expanded use of this feature and formulate a plan to discontinue using the feature. SolarWinds recommends that you start using Intelligent Maps in the SolarWinds Platform Web Console to display maps of physical and logical relationships between entities monitored by the SolarWinds Platform products you have installed.
Starting with 2024.2, you can import Network Atlas maps to Intelligent Maps. See Import maps.
Legal notices
© 2025 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.