A number of important vulnerabilities in SolarWinds Internet Assist Desk (WHD), culminating in unauthenticated distant code execution (RCE) through Java deserialization in CVE-2025-40551, had been uncovered by Horizon3.ai researchers.
These flaws chain static credentials, safety bypasses, and deserialization weaknesses, affecting variations previous to 2026.1.
SolarWinds WHD, an IT service administration platform for ticketing and asset monitoring, has confronted repeated deserialization points.
In 2024, CVE-2024-28986 enabled RCE through AjaxProxy and was added to CISA’s Identified Exploited Vulnerabilities catalog; patches had been bypassed by CVE-2024-28988 and CVE-2025-26399.
The most recent chain exploits comparable paths, bypassing sanitization in JSON-RPC dealing with.
Vulnerability Demo (Supply: Horizon3.ai)
The failings embrace hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization within the jabsorb library.
CVE IDDescriptionCVSS v3.1 ScoreImpactCVE-2025-40551Unauthenticated RCE through AjaxProxy deserialization9.8Remote command executionCVE-2025-40537Static “shopper:shopper” credentials enabling admin access7.5Unauthorized privilege escalationCVE-2025-40536Protection bypass through bogus “/ajax/” parameter8.1Access to restricted WebObjects
Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create elements with “wopage”, and inject devices like JNDI lookups.
Exploit Chain
Unauthenticated attackers begin by making a session on the login web page to extract wosid and XSRF tokens.
They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy entry, then POST malicious JSON payloads through JSONRPC for deserialization.
A Nuclei template demonstrates JNDI lookup to exterior servers, confirming RCE potential.
Monitor logs in /logs/ for exploitation indicators.
Log TypeIOC Examplewhd-session.log“eventType=[login], accountType=[client], username=[client]”whd.log“Whitelisted payload with matched key phrase: java..” or JSONRPC errorsEntry logsRequests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/”
Uncommon IPs hitting restricted endpoints sign compromise.
Improve instantly to WHD 2026.1, which addresses these points, in accordance with SolarWinds’ launch notes. Assessment configurations to disable default accounts and implement strict request filtering.
Protection exists in instruments like NodeZero; monitor CISA advisories for exploitation updates.
Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.
