CyberSecurity News

Critical Solarwinds Web Flaw Enables Remote Code Execution

Horizon3.ai researchers have uncovered multiple critical vulnerabilities within SolarWinds Web Help Desk (WHD). These flaws ultimately culminate in < These flaws chain static credentials, security...

Jennifer sherman
Jennifer sherman
January 29, 2026 2 Min Read
2 0

Horizon3.ai researchers have uncovered multiple critical vulnerabilities within SolarWinds Web Help Desk (WHD). These flaws ultimately culminate in <

These flaws chain static credentials, security bypasses, and deserialization weaknesses, affecting versions prior to 2026.1.

SolarWinds WHD, an IT service management platform for ticketing and asset tracking, has faced repeated deserialization issues.

In 2024, CVE-2024-28986 enabled RCE via AjaxProxy and was added to CISA’s Known Exploited Vulnerabilities catalog; patches were bypassed by CVE-2024-28988 and CVE-2025-26399.

The latest chain exploits similar paths, bypassing sanitization in JSON-RPC handling.

Vulnerability Demo (Source: Horizon3.ai)

The flaws include hardcoded credentials, CSRF and request-filter bypasses, and unsafe deserialization in the jabsorb library.

CVE ID Description CVSS v3.1 Score Impact
CVE-2025-40551 Unauthenticated RCE via AjaxProxy deserialization 9.8 Remote command execution
CVE-2025-40537 Static “client:client” credentials enabling admin access 7.5 Unauthorized privilege escalation
CVE-2025-40536 Protection bypass via bogus “/ajax/” parameter 8.1 Access to restricted WebObjects

Attackers bypass whitelists by altering URIs from “/ajax/” to “/wo/”, create components with “wopage”, and inject gadgets like JNDI lookups.

Exploit Chain

Unauthenticated attackers start by creating a session on the login page to extract wosid and XSRF tokens.

They bypass filters with “?badparam=/ajax/&wopage=LoginPref” to instantiate LoginPref, enabling AjaxProxy access, then POST malicious JSON payloads via JSONRPC for deserialization.

A Nuclei template demonstrates JNDI lookup to external servers, confirming RCE potential.

Monitor logs in <Install>/logs/ for exploitation signs.

Log Type IOC Example
whd-session.log “eventType=[login], accountType=[client], username=[client]”
whd.log “Whitelisted payload with matched keyword: java..” or JSONRPC errors
Access logs Requests to “/Helpdesk.woa/wo/*” with non-whitelisted params like “badparam=/ajax/”

Unusual IPs hitting restricted endpoints signal compromise.

Mitigations

Upgrade immediately to WHD 2026.1, which addresses these issues, according to SolarWinds’ release notes. Review configurations to disable default accounts and enforce strict request filtering.

Coverage exists in tools like NodeZero; monitor CISA advisories for exploitation updates.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts