Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by Horizon3.ai researchers.
These flaws chain static credentials, security bypasses, and deserialization weaknesses, affecting versions prior to 2026.1.
SolarWinds WHD, an IT service management platform for ticketing and asset tracking, has faced repeated deserialization issues.
In 2024, CVE-2024-28986 enabled RCE via AjaxProxy and was added to CISA’s Known Exploited Vulnerabilities catalog; patches were bypassed by CVE-2024-28988 and CVE-2025-26399.
The latest chain exploits similar paths, bypassing sanitization in JSON-RPC handling.
The flaws include hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization in the jabsorb library.
| CVE ID | Description | CVSS v3.1 Score | Impact |
|---|---|---|---|
| CVE-2025-40551 | Unauthenticated RCE via AjaxProxy deserialization | 9.8 | Remote command execution |
| CVE-2025-40537 | Static “client:client” credentials enabling admin access | 7.5 | Unauthorized privilege escalation |
| CVE-2025-40536 | Protection bypass via bogus “/ajax/” parameter | 8.1 | Access to restricted WebObjects |
Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create components with “wopage”, and inject gadgets like JNDI lookups.
Exploit Chain
Unauthenticated attackers start by creating a session on the login page to extract wosid and XSRF tokens.
They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy access, then POST malicious JSON payloads via JSONRPC for deserialization.
A Nuclei template demonstrates JNDI lookup to external servers, confirming RCE potential.
Monitor logs in /logs/ for exploitation signs.
| Log Type | IOC Example |
|---|---|
| whd-session.log | “eventType=[login], accountType=[client], username=[client]” |
| whd.log | “Whitelisted payload with matched keyword: java..” or JSONRPC errors |
| Access logs | Requests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/” |
Unusual IPs hitting restricted endpoints signal compromise.
Upgrade immediately to WHD 2026.1, which addresses these issues, according to SolarWinds’ release notes. Review configurations to disable default accounts and enforce strict request filtering.
Coverage exists in tools like NodeZero; monitor CISA advisories for exploitation updates.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
