top of page

Subscribe to our newsletter

SolarWinds Web Help Desk Critical Vulnerabilities: Unauthenticated RCE and Authentication Bypass Fixed in Emergency Patch

  • Rescana
  • 8 minutes ago
  • 3 min read
Image for post about SolarWinds Fixes Four Critical Web Help Desk Flaws With Unauthenticated RCE and Auth Bypass

Executive Summary

SolarWinds has released urgent patches for four critical vulnerabilities in its Web Help Desk (WHD) product, including unauthenticated remote code execution (RCE) and authentication bypass flaws. These vulnerabilities are easily exploitable and allow unauthenticated attackers to gain full control of affected systems. The issues are tracked as CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554, with additional related CVEs for privilege escalation and static credentials.

All organizations running SolarWinds Web Help Desk versions 12.8.8 Hotfix 1 and below are at risk and must update to version 2026.1 immediately.


Vulnerability Details

CVE-2025-40551 & CVE-2025-40553 (Unauthenticated RCE via Deserialization)

  • CVSSv3: 9.8 (Critical)

  • CWE: 502 (Deserialization of Untrusted Data)

  • Description: Attackers can exploit a deserialization flaw in the AjaxProxy component, allowing unauthenticated remote code execution. The vulnerability is triggered via crafted JSON-RPC requests that bypass existing sanitization routines.

  • Exploit Chain:

  • Establish a session (visit login page).

  • Abuse the

    wopage

    parameter to instantiate a

    LoginPref

    component.

  • Use the JSON-RPC bridge to send a malicious payload, bypassing blacklists and sanitization.

  • Achieve RCE via Java deserialization gadgets (e.g., JNDI injection).

CVE-2025-40552 & CVE-2025-40554 (Authentication Bypass)

  • CVSSv3: 9.8 (Critical)

  • CWE: 1390 (Weak Authentication)

  • Description: Attackers can bypass authentication controls, allowing them to access or execute privileged actions without valid credentials. These flaws can be chained with RCE vulnerabilities for full system compromise.

Additional Related Issues

  • CVE-2025-40536: Access control bypass (CWE-693)

  • CVE-2025-40537: Use of hard-coded credentials (CWE-798) – default

    client:client

    account may allow privilege escalation.


Exploitation & Proof-of-Concept

  • Public Exploit/PoC: Horizon3.ai has published a Nuclei template demonstrating JNDI lookup via the AjaxProxy RCE chain (Horizon3.ai blog).

  • Exploit Steps:

  • Abuse the

    wopage

    parameter to create a

    LoginPref

    component.

  • Send a crafted JSON-RPC payload to the AjaxProxy endpoint, bypassing sanitization by using

    /wo/

    instead of

    /ajax/

    in the URI.

  • Trigger deserialization with a malicious Java object (e.g., JNDIConnectionPool).

  • Indicators of Compromise (IOCs):

  • Log entries showing access to

    /Helpdesk.woa/wo/*

    with unusual parameters.

  • Logins from the default

    client

    account.

  • Errors in logs referencing

    org.jabsorb.JSONRPCBridge

    or whitelisted payloads with suspicious keywords (e.g.,

    java..

    ).


Technical Indicators

  • Affected Endpoints:

    /helpdesk/WebObjects/Helpdesk.woa/wo/*

  • Suspicious Parameters:

    wopage

    ,

    badparam=/ajax/

  • Default Credentials:

    client:client

  • Log Patterns:

  • INFO sessionLogger - eventType=[login], accountType=[client], username=[client]

  • ERROR org.jabsorb.JSONRPCBridge - exception occured

  • INFO whd.helpdesk.com.macsdesign.util - Whitelisted payload with matched keyword: java..


Exploitation in the Wild

  • As of January 28, 2026, there are no confirmed reports of in-the-wild exploitation for these specific CVEs. However, previous SolarWinds WHD vulnerabilities have been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, and exploitation is expected to follow public disclosure and PoC release.


Threat Actor & TTPs

  • MITRE ATT&CK Techniques:

  • T1190: Exploit Public-Facing Application

  • T1136: Create Account (if default credentials are abused)

  • T1059: Command and Scripting Interpreter (post-exploitation)

  • APT Groups: No specific APT attribution yet, but SolarWinds products have been targeted by both criminal and state-sponsored actors in the past.


Mitigation

  • Upgrade immediately to SolarWinds Web Help Desk version 2026.1.

  • Remove or disable the default

    client

    account if not required.

  • Monitor logs for suspicious activity as described above.

  • Review access logs for unexpected requests to

    /wo/

    endpoints with unusual parameters.


References & Further Reading


Disclosure Timeline

  • Dec 5, 2025: Horizon3.ai reports to SolarWinds PSIRT

  • Jan 28, 2026: SolarWinds releases patches


Prepared by Rescana OSINT Cybersecurity Research Team For questions or further assistance, contact your Rescana representative.

bottom of page