{"id":10232,"date":"2026-01-29T10:04:25","date_gmt":"2026-01-29T10:04:25","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/01\/29\/critical-solarwinds-web-vulnerability-allows-remote-code-execution-and-security-bypass\/"},"modified":"2026-01-29T10:04:25","modified_gmt":"2026-01-29T10:04:25","slug":"critical-solarwinds-web-vulnerability-allows-remote-code-execution-and-security-bypass","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/01\/29\/critical-solarwinds-web-vulnerability-allows-remote-code-execution-and-security-bypass\/","title":{"rendered":"Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass"},"content":{"rendered":"

Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by Horizon3.ai researchers. <\/p>\n

These flaws chain static credentials, security bypasses, and deserialization weaknesses, affecting versions prior to 2026.1.<\/a><\/p>\n

SolarWinds WHD, an IT service management platform for ticketing and asset tracking, has faced repeated deserialization issues. <\/p>\n

In 2024, CVE-2024-28986<\/a> enabled RCE via AjaxProxy and was added to CISA\u2019s Known Exploited Vulnerabilities<\/a> catalog; patches were bypassed by CVE-2024-28988 and CVE-2025-26399.<\/p>\n

The latest chain exploits similar paths, bypassing sanitization in JSON-RPC handling.<\/p>\n

Vulnerability Demo (Source: Horizon3.ai)<\/figcaption><\/figure>\n

The flaws include hardcoded credentials, CSRF<\/a> and request-filter bypasses, and unsafe deserialization in the jabsorb library.<\/a>\u200b<\/p>\n

\n\n\n\n\n\n\n\n
CVE ID<\/th>\nDescription<\/th>\nCVSS v3.1 Score<\/th>\nImpact<\/th>\n<\/tr>\n<\/thead>\n
CVE-2025-40551<\/td>\nUnauthenticated RCE via AjaxProxy deserialization<\/td>\n9.8<\/td>\nRemote command execution<\/a>\n<\/td>\n<\/tr>\n
CVE-2025-40537<\/td>\nStatic \u201cclient:client\u201d credentials enabling admin access<\/td>\n7.5<\/td>\nUnauthorized privilege escalation<\/a>\n<\/td>\n<\/tr>\n
CVE-2025-40536<\/td>\nProtection bypass via bogus \u201c\/ajax\/\u201d parameter<\/td>\n8.1<\/td>\nAccess to restricted WebObjects<\/a>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Attackers bypass whitelists by altering URIs from \u201c\/ajax\/\u201d to \u201c\/wo\/\u201d, create components with \u201cwopage\u201d, and inject gadgets like JNDI lookups.<\/a>\u200b<\/p>\n

Exploit Chain<\/strong><\/h2>\n

Unauthenticated attackers start by creating a session on the login page to extract wosid and XSRF tokens. <\/p>\n

They bypass filters with \u201c?badparam=\/ajax\/&wopage=LoginPref\u201d to instantiate LoginPref, enabling AjaxProxy access, then POST malicious JSON payloads via JSONRPC for deserialization. <\/p>\n

A Nuclei template demonstrates JNDI lookup to external servers, confirming RCE potential.<\/a>\u200b<\/p>\n

Monitor logs in\u00a0<Install>\/logs\/ for exploitation signs.<\/a>\u200b<\/p>\n

\n\n\n\n\n\n\n\n
Log Type<\/th>\nIOC Example<\/th>\n<\/tr>\n<\/thead>\n
whd-session.log<\/td>\n\u201ceventType=[login], accountType=[client], username=[client]\u201d<\/a>\u200b<\/td>\n<\/tr>\n
whd.log<\/td>\n\u201cWhitelisted payload with matched keyword: java..\u201d or JSONRPC errors<\/a>\u200b<\/td>\n<\/tr>\n
Access logs<\/td>\nRequests to \u201c\/Helpdesk.woa\/wo\/*\u201d with non-whitelisted params like \u201cbadparam=\/ajax\/\u201d<\/a>\u200b<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Unusual IPs hitting restricted endpoints signal compromise.<\/a>\u200b<\/p>\n

Mitigations<\/strong><\/h2>\n

Upgrade immediately to WHD 2026.1, which addresses these issues, according to SolarWinds\u2019 release notes<\/a>. Review configurations to disable default accounts and enforce strict request filtering.<\/p>\n

Coverage exists in tools like NodeZero; monitor CISA advisories for exploitation updates.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Guru Baran
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

Critical Solarwinds Web Vulnerability Allows Remote Code Execution and Security Bypass Multiple critical vulnerabilities in SolarWinds Web Help Desk (WHD), culminating in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551, were uncovered by Horizon3.ai researchers. These flaws chain static credentials, security bypasses, and deserialization weaknesses, affecting versions prior to 2026.1. SolarWinds WHD, an […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,131,648],"tags":[130],"class_list":["post-10232","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10232"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10232"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10232\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10232"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10232"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10232"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}