CVE-2025-40551 - Another Solarwinds Web Help Desk Deserialization Issue

We discovered a handful of security issues in Solarwinds Web Help Desk. These issues include an unauthenticated remote-code execution vulnerability via deserialization, static credentials that allow limited access to authenticated functionality, and a security protection bypass regarding protected site actions. These vulnerabilities are easily exploitable and enable unauthenticated attackers to achieve remote code execution on vulnerable Solarwinds Web Help Desk instances. Solarwinds has stated that these issues are patched in Web Help Desk version 2026.1, and we encourage all users to upgrade as soon as possible.

SolarWinds Web Help Desk (WHD) is a help-desk and IT service management platform. Back in August of 2024, Solarwinds released an advisory for WHD in order to address CVE-2024-28986, a deserialization vulnerability stemming from the AjaxProxy functionality that could result in remote code execution. Within a few days, this vulnerability was added to CISA’s Known Exploited Vulnerabilities catalogue. A couple of months later, another advisory (CVE-2024-28988) was released stating that a bypass had been discovered in the previous patch. Then, in September 2025, yet another advisory (CVE-2025-26399) was released in order to cover yet another discovered patch bypass. Jump to present day, yet another advisory has been released to cover yet another bypass.

The issues detailed include Static Creds (CVE-2025-40537). When WHD first initializes, a client account is created for demo purposes with a username of client and a default password of client. We’ve come across cases where this account is still associated with the default tech account and allows anyone logging in with this “client” user account to switch to the administrator account. A Security Protection Bypass (CVE-2025-40536) was also found. The whitelisting functionality can be bypassed by including a bogus URI parameter with a value of “/ajax/”, which allows for access to certain restricted functionality. The “wopage” parameter can be used to allow WebObject component pages to be loaded directly. For example, after establishing a valid session, an unauthenticated user can submit a GET request to the following endpoint: /helpdesk/WebObjects/Helpdesk.woa/wo/test.wo/<wosid>/1.0?badparam=/ajax/&wopage=LoginPref. This is sufficient to create a LoginPref WebObject component server-side, which happens to create a valid AjaxProxy instance. This leads to the Java Deserialization (CVE-2025-40551) vulnerability. When handling requests destined for components that utilize this functionality, the jabsorb library is used to dynamically load and execute various component actions. jabsorb is known to contain a variety of code execution issues. In previous attempts to fix this issue, a routine was added to sanitize the “params” and “fixups” fields of requests destined for the JSONRPC bridge – AjaxProxy. This sanitize function determines whether or not a request is destined for AjaxProxy by checking if the URI contains “ajax,” which is insufficient. Simply changing the request URI from “ajax” to “wo” is sufficient to bypass this new sanitization routine. Additionally, the blacklist used in the existing “checkSuspeciousPayload()” function is able to be bypassed via the “isWhitelisted()” function. By including each of the whitelisted terms early in the json payload, requests can bypass the blacklist altogether, which allows for the same remote code execution potential as previous CVEs regarding AjaxProxy functionality. While newer versions of WHD do not include the C3P0 libraries that previously contained gadgets leading to RCE, there are other classes on the classpath that could allow an attacker to perform malicious actions, such as forging sessions or even continuing to achieve unauthenticated RCE.

• From end to end, in order to chain these issues to achieve RCE, an attacker needs to perform the following: Establish a valid session and extract key values; Create a LoginPref component; Set the state of the LoginPref component to allow us to access the file upload; Use the JSONRPC bridge to create some malicious Java objects behind the scenes; Trigger these malicious Java objects.

To read the complete article see: CVE-2025-40551 - Another Solarwinds Web Help Desk Deserialization Issue