Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Posted on By CWS

A number of important vulnerabilities in SolarWinds Internet Assist Desk (WHD), culminating in unauthenticated distant code execution (RCE) through Java deserialization in CVE-2025-40551, had been uncovered by Horizon3.ai researchers.

These flaws chain static credentials, safety bypasses, and deserialization weaknesses, affecting variations previous to 2026.1.

SolarWinds WHD, an IT service administration platform for ticketing and asset monitoring, has confronted repeated deserialization points.

In 2024, CVE-2024-28986 enabled RCE through AjaxProxy and was added to CISA’s Identified Exploited Vulnerabilities catalog; patches had been bypassed by CVE-2024-28988 and CVE-2025-26399.

The most recent chain exploits comparable paths, bypassing sanitization in JSON-RPC dealing with.

Vulnerability Demo (Supply: Horizon3.ai)

The failings embrace hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization within the jabsorb library.​

CVE IDDescriptionCVSS v3.1 ScoreImpactCVE-2025-40551Unauthenticated RCE through AjaxProxy deserialization9.8Remote command executionCVE-2025-40537Static “shopper:shopper” credentials enabling admin access7.5Unauthorized privilege escalationCVE-2025-40536Protection bypass through bogus “/ajax/” parameter8.1Access to restricted WebObjects

Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create elements with “wopage”, and inject devices like JNDI lookups.​

Exploit Chain

Unauthenticated attackers begin by making a session on the login web page to extract wosid and XSRF tokens.

They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy entry, then POST malicious JSON payloads through JSONRPC for deserialization.

A Nuclei template demonstrates JNDI lookup to exterior servers, confirming RCE potential.​

Monitor logs in /logs/ for exploitation indicators.​

Log TypeIOC Examplewhd-session.log“eventType=[login], accountType=[client], username=[client]”​whd.log“Whitelisted payload with matched key phrase: java..” or JSONRPC errors​Entry logsRequests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/”​

Uncommon IPs hitting restricted endpoints sign compromise.​

Improve instantly to WHD 2026.1, which addresses these points, in accordance with SolarWinds’ launch notes. Assessment configurations to disable default accounts and implement strict request filtering.

Protection exists in instruments like NodeZero; monitor CISA advisories for exploitation updates.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

Docker Open Sources Production-Ready Hardened Images for Free Cyber Security News
North Korean APT Hackers Attacking Ukrainian Government Agencies to Steal Login Credentials Cyber Security News
Node.js Security Release Patches 7 Vulnerabilities Across All Release Lines Cyber Security News
New Malicious Rust Crates Impersonating fast_log to Steal Solana and Ethereum Wallet Keys Cyber Security News
Threat Actors Attacking Cryptocurrency and Blockchain Developers with Weaponized npm and PyPI Packages Cyber Security News
Top 10 Best Supply Chain Risk Management Solutions in 2025 Cyber Security News