Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by Horizon3.ai researchers.

These flaws chain static credentials, security bypasses, and deserialization weaknesses, affecting versions prior to 2026.1.

SolarWinds WHD, an IT service management platform for ticketing and asset tracking, has faced repeated deserialization issues.

In 2024, CVE-2024-28986 enabled RCE via AjaxProxy and was added to CISA’s Known Exploited Vulnerabilities catalog; patches were bypassed by CVE-2024-28988 and CVE-2025-26399.

The latest chain exploits similar paths, bypassing sanitization in JSON-RPC handling.

The flaws include hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization in the jabsorb library.​

CVE ID	Description	CVSS v3.1 Score	Impact
CVE-2025-40551	Unauthenticated RCE via AjaxProxy deserialization	9.8	Remote command execution
CVE-2025-40537	Static “client:client” credentials enabling admin access	7.5	Unauthorized privilege escalation
CVE-2025-40536	Protection bypass via bogus “/ajax/” parameter	8.1	Access to restricted WebObjects

Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create components with “wopage”, and inject gadgets like JNDI lookups.​

Exploit Chain

Unauthenticated attackers start by creating a session on the login page to extract wosid and XSRF tokens.

They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy access, then POST malicious JSON payloads via JSONRPC for deserialization.

A Nuclei template demonstrates JNDI lookup to external servers, confirming RCE potential.​

Monitor logs in <Install>/logs/ for exploitation signs.​

Log Type	IOC Example
whd-session.log	“eventType=[login], accountType=[client], username=[client]”​
whd.log	“Whitelisted payload with matched keyword: java..” or JSONRPC errors​
Access logs	Requests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/”​

Unusual IPs hitting restricted endpoints signal compromise.​

Mitigations

Upgrade immediately to WHD 2026.1, which addresses these issues, according to SolarWinds’ release notes. Review configurations to disable default accounts and enforce strict request filtering.

Coverage exists in tools like NodeZero; monitor CISA advisories for exploitation updates.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass appeared first on Cyber Security News.