Critical Vulnerabilities in SolarWinds Web Help Desk Expose Systems to Remote Code Execution
Recent discoveries have unveiled multiple critical vulnerabilities within SolarWinds’ Web Help Desk (WHD) software, potentially allowing unauthenticated attackers to execute remote code and bypass security measures. These flaws, identified by Horizon3.ai researchers, affect WHD versions prior to 2026.1 and involve a combination of static credentials, security bypasses, and deserialization weaknesses.
Background on SolarWinds Web Help Desk
SolarWinds Web Help Desk is a widely used IT service management platform designed for ticketing and asset tracking. Its extensive adoption across various industries makes it a significant target for cyber threats. Over the years, WHD has encountered several security challenges, particularly concerning deserialization vulnerabilities.
Details of the Vulnerabilities
The latest vulnerabilities are particularly concerning due to their potential for unauthenticated remote code execution (RCE) through Java deserialization. The primary issues include:
1. Unauthenticated RCE via AjaxProxy Deserialization (CVE-2025-40551): This critical vulnerability allows remote attackers to execute arbitrary commands on the host machine without authentication. It has been assigned a CVSS v3.1 score of 9.8, indicating its severity.
2. Static Credentials Enabling Admin Access (CVE-2025-40537): The presence of hardcoded client:client credentials can lead to unauthorized privilege escalation, granting attackers administrative access. This vulnerability has a CVSS v3.1 score of 7.5.
3. Protection Bypass via Malicious Parameters (CVE-2025-40536): Attackers can bypass security protections by manipulating parameters, such as using a bogus /ajax/ parameter, to access restricted WebObjects. This flaw has a CVSS v3.1 score of 8.1.
Exploit Mechanism
The exploitation process involves several steps:
– Session Creation: Attackers initiate a session on the WHD login page to extract session identifiers and cross-site request forgery (XSRF) tokens.
– Filter Bypass: By altering Uniform Resource Identifiers (URIs) from /ajax/ to /wo/ and creating components with wopage, attackers can bypass whitelists and access restricted functionalities.
– Payload Delivery: Malicious JSON payloads are sent via JSON-RPC, leading to unsafe deserialization and potential remote code execution.
Indicators of Compromise (IoCs)
Administrators should monitor the following logs for signs of exploitation:
– whd-session.log: Look for entries indicating unexpected login events, such as eventType=[login], accountType=[client], username=[client].
– whd.log: Be alert to messages like Whitelisted payload with matched keyword: java.. or JSON-RPC errors.
– Access Logs: Unusual requests to /Helpdesk.woa/wo/ with non-whitelisted parameters, such as badparam=/ajax/, may indicate compromise.
Mitigation Strategies
To protect systems from these vulnerabilities, it is imperative to:
– Upgrade to WHD 2026.1: SolarWinds has released version 2026.1, which addresses these critical issues. Administrators should prioritize updating to this version.
– Disable Default Accounts: Review and disable any default accounts, such as client:client, to prevent unauthorized access.
– Enforce Strict Request Filtering: Implement stringent request filtering to prevent malicious parameter manipulation and unauthorized access.
Historical Context
This is not the first time SolarWinds WHD has faced security vulnerabilities. In 2024, CVE-2024-28986 allowed RCE via AjaxProxy and was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. Subsequent patches were bypassed by CVE-2024-28988 and CVE-2025-26399, highlighting the persistent challenges in securing the platform.
Conclusion
The discovery of these critical vulnerabilities underscores the importance of proactive cybersecurity measures. Organizations utilizing SolarWinds Web Help Desk must act swiftly to apply the necessary updates and review their security configurations to mitigate potential risks.
