Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Posted on By CWS

A number of important vulnerabilities in SolarWinds Internet Assist Desk (WHD), culminating in unauthenticated distant code execution (RCE) through Java deserialization in CVE-2025-40551, had been uncovered by Horizon3.ai researchers.

These flaws chain static credentials, safety bypasses, and deserialization weaknesses, affecting variations previous to 2026.1.

SolarWinds WHD, an IT service administration platform for ticketing and asset monitoring, has confronted repeated deserialization points.

In 2024, CVE-2024-28986 enabled RCE through AjaxProxy and was added to CISA’s Identified Exploited Vulnerabilities catalog; patches had been bypassed by CVE-2024-28988 and CVE-2025-26399.

The most recent chain exploits comparable paths, bypassing sanitization in JSON-RPC dealing with.

Vulnerability Demo (Supply: Horizon3.ai)

The failings embrace hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization within the jabsorb library.​

CVE IDDescriptionCVSS v3.1 ScoreImpactCVE-2025-40551Unauthenticated RCE through AjaxProxy deserialization9.8Remote command executionCVE-2025-40537Static “shopper:shopper” credentials enabling admin access7.5Unauthorized privilege escalationCVE-2025-40536Protection bypass through bogus “/ajax/” parameter8.1Access to restricted WebObjects

Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create elements with “wopage”, and inject devices like JNDI lookups.​

Exploit Chain

Unauthenticated attackers begin by making a session on the login web page to extract wosid and XSRF tokens.

They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy entry, then POST malicious JSON payloads through JSONRPC for deserialization.

A Nuclei template demonstrates JNDI lookup to exterior servers, confirming RCE potential.​

Monitor logs in /logs/ for exploitation indicators.​

Log TypeIOC Examplewhd-session.log“eventType=[login], accountType=[client], username=[client]”​whd.log“Whitelisted payload with matched key phrase: java..” or JSONRPC errors​Entry logsRequests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/”​

Uncommon IPs hitting restricted endpoints sign compromise.​

Improve instantly to WHD 2026.1, which addresses these points, in accordance with SolarWinds’ launch notes. Assessment configurations to disable default accounts and implement strict request filtering.

Protection exists in instruments like NodeZero; monitor CISA advisories for exploitation updates.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

Phishing Campaign Uses Maduro Arrest Story to Deliver Backdoor Payloads Phishing Campaign Uses Maduro Arrest Story to Deliver Backdoor Payloads Cyber Security News
BreachLock Recognized in 2026 Gartner AEV Guide BreachLock Recognized in 2026 Gartner AEV Guide Cyber Security News
Top 10 Best Mobile Application Penetration Testing Companies in 2025 Top 10 Best Mobile Application Penetration Testing Companies in 2025 Cyber Security News
Lazarus Group’s IT Workers Scheme Hacker Group Caught Live On Camera Lazarus Group’s IT Workers Scheme Hacker Group Caught Live On Camera Cyber Security News
Microsoft to Launch New Secure Default Settings for Exchange and Teams APIs Microsoft to Launch New Secure Default Settings for Exchange and Teams APIs Cyber Security News
MediaTek July 2025 Security Update Patches Vulnerabilities Affecting a Wide Range of Their Chipsets MediaTek July 2025 Security Update Patches Vulnerabilities Affecting a Wide Range of Their Chipsets Cyber Security News