Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Posted on By CWS

A number of important vulnerabilities in SolarWinds Internet Assist Desk (WHD), culminating in unauthenticated distant code execution (RCE) through Java deserialization in CVE-2025-40551, had been uncovered by Horizon3.ai researchers.

These flaws chain static credentials, safety bypasses, and deserialization weaknesses, affecting variations previous to 2026.1.

SolarWinds WHD, an IT service administration platform for ticketing and asset monitoring, has confronted repeated deserialization points.

In 2024, CVE-2024-28986 enabled RCE through AjaxProxy and was added to CISA’s Identified Exploited Vulnerabilities catalog; patches had been bypassed by CVE-2024-28988 and CVE-2025-26399.

The most recent chain exploits comparable paths, bypassing sanitization in JSON-RPC dealing with.

Vulnerability Demo (Supply: Horizon3.ai)

The failings embrace hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization within the jabsorb library.​

CVE IDDescriptionCVSS v3.1 ScoreImpactCVE-2025-40551Unauthenticated RCE through AjaxProxy deserialization9.8Remote command executionCVE-2025-40537Static “shopper:shopper” credentials enabling admin access7.5Unauthorized privilege escalationCVE-2025-40536Protection bypass through bogus “/ajax/” parameter8.1Access to restricted WebObjects

Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create elements with “wopage”, and inject devices like JNDI lookups.​

Exploit Chain

Unauthenticated attackers begin by making a session on the login web page to extract wosid and XSRF tokens.

They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy entry, then POST malicious JSON payloads through JSONRPC for deserialization.

A Nuclei template demonstrates JNDI lookup to exterior servers, confirming RCE potential.​

Monitor logs in /logs/ for exploitation indicators.​

Log TypeIOC Examplewhd-session.log“eventType=[login], accountType=[client], username=[client]”​whd.log“Whitelisted payload with matched key phrase: java..” or JSONRPC errors​Entry logsRequests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/”​

Uncommon IPs hitting restricted endpoints sign compromise.​

Improve instantly to WHD 2026.1, which addresses these points, in accordance with SolarWinds’ launch notes. Assessment configurations to disable default accounts and implement strict request filtering.

Protection exists in instruments like NodeZero; monitor CISA advisories for exploitation updates.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

Windows Common Log File System Driver Vulnerability Let Attackers Escalate Privileges Cyber Security News
Windows DWM 0-Day Vulnerability Allows Attackers to Escalate Privileges Cyber Security News
Threat Actors Impersonate as MalwareBytes to Attack Users and Steal Logins Cyber Security News
CISA Warns Of Rapid7 Velociraptor Vulnerability Exploited in Ransomware Attacks Cyber Security News
Herodotus Android Banking Malware Takes Full Control Of Device Evading Antivirus Cyber Security News
Printer Company Offered Malicious Drivers Infected With XRed Malware Cyber Security News