Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass

Posted on By CWS

A number of important vulnerabilities in SolarWinds Internet Assist Desk (WHD), culminating in unauthenticated distant code execution (RCE) through Java deserialization in CVE-2025-40551, had been uncovered by Horizon3.ai researchers.

These flaws chain static credentials, safety bypasses, and deserialization weaknesses, affecting variations previous to 2026.1.

SolarWinds WHD, an IT service administration platform for ticketing and asset monitoring, has confronted repeated deserialization points.

In 2024, CVE-2024-28986 enabled RCE through AjaxProxy and was added to CISA’s Identified Exploited Vulnerabilities catalog; patches had been bypassed by CVE-2024-28988 and CVE-2025-26399.

The most recent chain exploits comparable paths, bypassing sanitization in JSON-RPC dealing with.

Vulnerability Demo (Supply: Horizon3.ai)

The failings embrace hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization within the jabsorb library.​

CVE IDDescriptionCVSS v3.1 ScoreImpactCVE-2025-40551Unauthenticated RCE through AjaxProxy deserialization9.8Remote command executionCVE-2025-40537Static “shopper:shopper” credentials enabling admin access7.5Unauthorized privilege escalationCVE-2025-40536Protection bypass through bogus “/ajax/” parameter8.1Access to restricted WebObjects

Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create elements with “wopage”, and inject devices like JNDI lookups.​

Exploit Chain

Unauthenticated attackers begin by making a session on the login web page to extract wosid and XSRF tokens.

They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy entry, then POST malicious JSON payloads through JSONRPC for deserialization.

A Nuclei template demonstrates JNDI lookup to exterior servers, confirming RCE potential.​

Monitor logs in /logs/ for exploitation indicators.​

Log TypeIOC Examplewhd-session.log“eventType=[login], accountType=[client], username=[client]”​whd.log“Whitelisted payload with matched key phrase: java..” or JSONRPC errors​Entry logsRequests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/”​

Uncommon IPs hitting restricted endpoints sign compromise.​

Improve instantly to WHD 2026.1, which addresses these points, in accordance with SolarWinds’ launch notes. Assessment configurations to disable default accounts and implement strict request filtering.

Protection exists in instruments like NodeZero; monitor CISA advisories for exploitation updates.

Comply with us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to characteristic your tales.

Cyber Security News Tags:, , , , , , , ,

Related Posts

As Third-Party Vulnerabilities Rise, CISOs Accelerate Push for Security Modernization   As Third-Party Vulnerabilities Rise, CISOs Accelerate Push for Security Modernization   Cyber Security News
Critical FortiClient EMS Vulnerabilities Expose 2,000 Servers Critical FortiClient EMS Vulnerabilities Expose 2,000 Servers Cyber Security News
VoidLink Malware Targets Kubernetes and Cloud Systems VoidLink Malware Targets Kubernetes and Cloud Systems Cyber Security News
Cybercriminals Exploit Telegram for Corporate Network Access Cybercriminals Exploit Telegram for Corporate Network Access Cyber Security News
New Phishing Attack Bypasses Using UUIDs Unique to Bypass Secure Email Gateways New Phishing Attack Bypasses Using UUIDs Unique to Bypass Secure Email Gateways Cyber Security News
Multi-Staged ValleyRAT Uses WeChat and DingTalk to Attack Windows Users Multi-Staged ValleyRAT Uses WeChat and DingTalk to Attack Windows Users Cyber Security News