CVE Analysis Center Feb 1, 2026 3 min read ← All posts

SolarWinds Web Help Desk Critical Vulnerabilities: Unauthenticated RCE and Authentication Bypass Fixed in Emergency Patch

SolarWinds Web Help Desk Critical Vulnerabilities: Unauthenticated RCE and Authentication Bypass Fixed in Emergency Patch

Executive Summary

SolarWinds has released urgent patches for four critical vulnerabilities in its Web Help Desk (WHD) product, including unauthenticated remote code execution (RCE) and authentication bypass flaws. These vulnerabilities are easily exploitable and allow unauthenticated attackers to gain full control of affected systems. The issues are tracked as CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554, with additional related CVEs for privilege escalation and static credentials.

All organizations running SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below are at risk and must update to version 2026.1 immediately.

Vulnerability Details

CVE-2025-40551 & CVE-2025-40553 (Unauthenticated RCE via Deserialization)

  • CVSSv3: 9.8 (Critical)
  • CWE: 502 (Deserialization of Untrusted Data)
  • Description: Attackers can exploit a deserialization flaw in the AjaxProxy component, allowing unauthenticated remote code execution. The vulnerability is triggered via crafted JSON-RPC requests that bypass existing sanitization routines.
  • Exploit Chain:
  • Establish a session (visit login page).
  • Abuse the wopage parameter to instantiate a LoginPref component.
  • Use the JSON-RPC bridge to send a malicious payload, bypassing blacklists and sanitization.
  • Achieve RCE via Java deserialization gadgets (e.g., JNDI injection).

CVE-2025-40552 & CVE-2025-40554 (Authentication Bypass)

  • CVSSv3: 9.8 (Critical)
  • CWE: 1390 (Weak Authentication)
  • Description: Attackers can bypass authentication controls, allowing them to access or execute privileged actions without valid credentials. These flaws can be chained with RCE vulnerabilities for full system compromise.

Additional Related Issues

  • CVE-2025-40536: Access control bypass (CWE-693)
  • CVE-2025-40537: Use of hard-coded credentials (CWE-798) – default client:client account may allow privilege escalation.

Exploitation & Proof-of-Concept

  • Public Exploit/PoC: Horizon3.ai has published a Nuclei template demonstrating JNDI lookup via the AjaxProxy RCE chain (Horizon3.ai blog).
  • Exploit Steps:
  • Abuse the wopage parameter to create a LoginPref component.
  • Send a crafted JSON-RPC payload to the AjaxProxy endpoint, bypassing sanitization by using /wo/ instead of /ajax/ in the URI.
  • Trigger deserialization with a malicious Java object (e.g., JNDIConnectionPool).
  • Indicators of Compromise (IOCs):
  • Log entries showing access to /Helpdesk.woa/wo/* with unusual parameters.
  • Logins from the default client account.
  • Errors in logs referencing org.jabsorb.JSONRPCBridge or whitelisted payloads with suspicious keywords (e.g., java..).

Technical Indicators

  • Affected Endpoints:/helpdesk/WebObjects/Helpdesk.woa/wo/*
  • Suspicious Parameters:wopage, badparam=/ajax/
  • Default Credentials:client:client
  • Log Patterns:
  • INFO sessionLogger - eventType=[login], accountType=[client], username=[client]
  • ERROR org.jabsorb.JSONRPCBridge - exception occured
  • INFO whd.helpdesk.com.macsdesign.util - Whitelisted payload with matched keyword: java..

Exploitation in the Wild

  • As of January 28, 2026, there are no confirmed reports of in-the-wild exploitation for these specific CVEs. However, previous SolarWinds WHD vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and exploitation is expected to follow public disclosure and PoC release.

Threat Actor & TTPs

  • MITRE ATT&CK Techniques:
  • T1190: Exploit Public-Facing Application
  • T1136: Create Account (if default credentials are abused)
  • T1059: Command and Scripting Interpreter (post-exploitation)
  • APT Groups: No specific APT attribution yet, but SolarWinds products have been targeted by both criminal and state-sponsored actors in the past.

Mitigation

  • Upgrade immediately to SolarWinds Web Help Desk version 2026.1.
  • Remove or disable the default client account if not required.
  • Monitor logs for suspicious activity as described above.
  • Review access logs for unexpected requests to /wo/ endpoints with unusual parameters.

References & Further Reading

  • Rapid7: Multiple Critical SolarWinds Web Help Desk Vulnerabilities
  • Horizon3.ai: CVE-2025-40551 Technical Analysis & PoC
  • SolarWinds Security Advisory
  • BleepingComputer: SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
  • CVE-2025-40551 NVD Entry
  • CISA KEV Catalog

Disclosure Timeline

  • Dec 5, 2025: Horizon3.ai reports to SolarWinds PSIRT
  • Jan 28, 2026: SolarWinds releases patches

Prepared by Rescana OSINT Cybersecurity Research Team For questions or further assistance, contact your Rescana representative.

Recent Posts

See All →
For retailers: Suppliers of POS, OMS and CRM systems are not ‘Third Party’, they are actually ‘Teammates’
Mar 26, 2026
For retailers: Suppliers of POS, OMS and CRM systems are not ‘Third Party’, they are actually ‘Teammates’
LeakNet Ransomware Exploits ClickFix via Compromised Websites to Attack Windows Environments with Deno In-Memory Loader
Mar 18, 2026
LeakNet Ransomware Exploits ClickFix via Compromised Websites to Attack Windows Environments with Deno In-Memory Loader
Intuitive Surgical Administrative Network Breach: 2026 Phishing Attack Exposes Employee and Customer Data
Mar 18, 2026
Intuitive Surgical Administrative Network Breach: 2026 Phishing Attack Exposes Employee and Customer Data