CVE-2025-40536
published 2026-01-28CVE-2025-40536: SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-15
Exploited in the wild
EPSS
81.62%
99.6th percentile
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | web_help_desk | < 2026.1 | 2026.1 |
| solarwinds | web_help_desk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhxxps://github[.]com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi↗
commandSCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR "C:\Users\\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db - device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"↗
commandreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f↗
commandreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f↗
commandreg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealTimeMonitoring /t REG_DWORD /d 1 /f↗
registryHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOAVProtection↗
sigma↗
any where host.os.type == "windows" and (
(event.category == "library" and
process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
(dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
(event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
)- →Initial exploitation chain: wrapper.exe spawns java.exe which spawns cmd.exe under the WHD install path. Alert on cmd.exe, powershell.exe, or rundll32.exe with a parent matching C:\Program Files\WebHelpDesk\*\java*.exe. ↗
- →Velociraptor version 0.73.4 (outdated, with a privilege escalation vulnerability) was used as attacker C2. Detect Velociraptor service running with client.config.yaml pointing to Cloudflare Workers or mooo.com domains. ↗
- →C2 failover mechanism: monitor for PowerShell scripts that probe /reader endpoint on v2-api.mooo[.]com and rewrite C:\Program Files\Velociraptor\client.config.yaml, then restart the Velociraptor service. ↗
- →Detect DLL loads from UNC/network paths (\Device\Mup\*) or unsigned DLLs loaded by java.exe under the WebHelpDesk install directory as an indicator of exploitation. ↗
- →The CVE-2025-40536 bypass involves including '/ajax/' in a query parameter to circumvent URI validation; switching from '/ajax/' to '/wo/' endpoints bypasses payload sanitization. Monitor WHD web logs for requests to /wo/ endpoints with badparam=/ajax/ query strings. ↗
- →Shodan fingerprint for exposed SolarWinds Web Help Desk instances: http.favicon.hash:1895809524. Use for asset discovery and attack surface monitoring. ↗
- →Nuclei version check: WHD versions reporting build token < 12.8.8.2585 (via regex \?v=([0-9]+_[0-9]+_[0-9]+_[0-9]+) in page body) are vulnerable to CVE-2025-40536. ↗
- →Attacker used an Elastic Cloud free trial on GCP as a victim-data exfiltration backend (SIEM-as-C2). Investigate PowerShell executing Get-ComputerInfo and shipping results to external Elasticsearch endpoints. ↗
- ·CVE-2025-40536 is a security control bypass (CSRF whitelist bypass) that is chained with CVE-2025-40551 (JNDI deserialization RCE) to achieve unauthenticated RCE. Neither CVE alone is sufficient for full exploitation in the chained attack path. ↗
- ·Elastic Security Labs did not observe direct telemetry for this activity at time of publication; detections are based on third-party reporting (Microsoft, Huntress, Cisco Talos). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.1HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-m83h-48rr-jcrh: SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated atta
ghsa_unreviewed·2026-01-28
CVE-2025-40536 [HIGH] CWE-693 GHSA-m83h-48rr-jcrh: SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated atta
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
VulnCheck
SolarWinds Web Help Desk Security Control Bypass Vulnerability
vulncheck·2025·CVSS 8.1
CVE-2025-40536 [HIGH] CWE-693 SolarWinds Web Help Desk Security Control Bypass Vulnerability
SolarWinds Web Help Desk Security Control Bypass Vulnerability
SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.
Affected: SolarWinds Web Help Desk
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-02-15
CISA
SolarWinds Web Help Desk Security Control Bypass Vulnerability
cisa·2026-02-12·CVSS 9.8
CVE-2025-40536 [CRITICAL] CWE-693 SolarWinds Web Help Desk Security Control Bypass Vulnerability
Vulnerability: SolarWinds Web Help Desk Security Control Bypass Vulnerability
Affected: SolarWinds Web Help Desk
SolarWinds Web Help Desk contains a security control bypass vulnerability that could allow an unauthenticated attacker to gain access to certain restricted functionality.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm ; https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536 ; https://nvd.nist.gov/vuln/detail/CVE-2025-40536
Remediation Due Date: 2026-02-15
Suricata
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)
suricata·2026-01-29·CVSS 8.1
CVE-2025-40536 [HIGH] ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Authentication Bypass (CVE-2025-40536)"; flow:established,to_server; http.uri; content:"/helpdesk/WebObjects/Helpdesk.woa/wo/"; fast_pattern; content:"/ajax/"; content:"wopage|3d|"; http.method; content:"GET"; reference:url,horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/; reference:cve,2025-40536; classtype:web-application-attack; sid:2067188; rev:1; metadata:affected_product SolarWinds, attack_target Server, tls_state TLSDecrypt, created_at 2026_01_29, cve CVE_2025_40536, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signat
Elastic
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
elastic_rules·CVSS 9.8
CVE-2025-40536 [CRITICAL] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
Suspicious SolarWinds Web Help Desk Java Module Load or Child Process
Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL).
This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of
deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious
SQLite extensions and achieve remote code execution.
Query:
any where host.os.type == "windows" and
(
(event.category == "library" and
process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
(dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
(event.category == "process" and process.
Nuclei
SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
nuclei·CVSS 9.8
CVE-2025-40536 [CRITICAL] SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
Template:
id: CVE-2025-40536
info:
name: SolarWinds Web Help Desk < 12.8.8 Hotfix 1 (HF1) - Security Control Bypass
author: inokii
severity: high
description: |
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
impact: |
Attackers can gain access to certain restricted functionality.
remediation: |
Apply the available 12.8.8 Hotfix 1 (HF1) or upgrade to ve
Nuclei
SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
nuclei·CVSS 9.8
CVE-2025-40551 [CRITICAL] SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
SolarWinds Web Help Desk before version 2026.1 contains an insecure deserialization vulnerability in the jabsorb JSON-RPC library. When chained with a CSRF whitelist bypass (CVE-2025-40536), remote unauthenticated attackers can exploit JNDI injection via the Apache Xalan JNDIConnectionPool class to achieve remote code execution. The bypass involves including "/ajax/" in a query parameter to circumvent URI validation, while switching from "/ajax/" to "/wo/" endpoints bypasses payload sanitization routines.
Template:
id: CVE-2025-40551
info:
name: SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
author: Horizon3.ai
severity: critical
description: |
SolarWinds Web Help Desk before version 2026.1 c
Metasploit
SolarWinds Web Help Desk unauthenticated RCE
metasploit·CVSS 9.8
CVE-2025-40536 [CRITICAL] SolarWinds Web Help Desk unauthenticated RCE
SolarWinds Web Help Desk unauthenticated RCE
This module exploits an access control bypass vulnerability (CVE-2025-40536) and an unsafe deserialization vulnerability (CVE-2025-40551) to achieve unauthenticated RCE against a vulnerable SolarWinds Web Help Desk (WHD) server.
Checkpoint
2nd March – Threat Intelligence Report
blogs_checkpoint·2026-03-02
CVE-2025-59536 2nd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records f
Elastic
SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
blogs_elastic·2026-02-10·CVSS 9.8
[CRITICAL] SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
## SolarWinds Web Help Desk Exploitation - February 2026
Elastic Security detection and prevention capabilities for the recently-disclosed SolarWinds Web Help Desk vulnerabilities.
## Summary
On February 6, 2026, Microsoft reported the exploitation of SolarWinds Web Help Desk (WHD) servers
The exploitation facilitated multi-stage intrusions leveraging remote monitoring and management software (RMM), credential dumping, and setting up tunnels and RDP for persistent access
While not yet confirmed, the activity may be associated with one of the following disclosed CVEs: CVE-2025-26399 , CVE-2025-40536 , and CVE-2025-40551
Elastic Security Labs does not observe telemetry events related to this activity as of the date of this publication
Elastic Defend provides comprehensive visibility,
Elastic
SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
blogs_elastic·2026-02-10·CVSS 9.8
[CRITICAL] SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
10 February 2026•Elastic Security Labs
# SolarWinds Web Help Desk Exploitation - February 2026
Elastic Security detection and prevention capabilities for the recently-disclosed SolarWinds Web Help Desk vulnerabilities.
5 min readProduct Updates
## Summary
- On February 6, 2026, Microsoft reported the exploitation of SolarWinds Web Help Desk (WHD) servers
- The exploitation facilitated multi-stage intrusions leveraging remote monitoring and management software (RMM), credential dumping, and setting up tunnels and RDP for persistent access
- While not yet confirmed, the activity may be associated with one of the following disclosed CVEs: CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551
- Elastic Security Labs does not observe telemetry events related to this activity as of the date of
Huntress
Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
blogs_huntress·2026-02-08·CVSS 9.8
[CRITICAL] Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
Acknowledgments: Special thanks to Dipo Rodipe, Dray Agha, and Lindon Wass for their contributions to this investigation and write-up.
TL;DR : Huntress has observed threat actors exploiting SolarWinds Web Help Desk vulnerability across 3 customers; organizations should apply the update from SolarWinds’ website as soon as possible.
## Background
On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control.
This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD. The most critical vulnerabilities grant an adversary arbitrary code execution vi
Wiz
CVE-2025-40536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-40536 [HIGH] CVE-2025-40536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-40536 :
SolarWinds Web Help Desk vulnerability analysis and mitigation
SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality.
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 8.1
High-profile Vulnerability Yes
Affected Technologies
SolarWinds Web Help Desk
Has Public Exploit Yes
Has CISA KEV Exploit Yes
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 98.6
Exploitation Probability (EPSS) 68.3
Affected packages and libraries
cpe:2.3:a:solarwinds:web_help_desk
Sources
Linux Severity CRITICAL Has Fix Added at: Jan 29, 2026
Windows Seve
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htmhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40536https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399
2026-01-28
Published
2026-02-12
Added to CISA KEV
Exploited in the wild