CVE-2025-40536

What is SolarWinds Web Help Desk?

SolarWinds Web Help Desk (WHD) is an IT service management platform used by organizations to manage help desk ticketing, asset tracking, and change management. WHD runs as a Java web application (built on WebObjects framework) and is frequently accessible over the internet for remote IT support operations. SolarWinds products are high-value targets: the 2020 SolarWinds SUNBURST supply chain attack compromised thousands of organizations globally.

Overview

CVE-2025-40536 is a security control bypass (CWE-693) in SolarWinds Web Help Desk that allows an unauthenticated attacker to bypass CSRF token validation and access restricted functionality. The bypass is achieved by injecting a fake URI parameter containing /ajax/ into HTTP requests, exploiting a flaw in the checkCsrfTokenWo() function's whitelist check. When chained with CVE-2025-40551 (Java deserialization RCE), it enables full unauthenticated remote code execution. Microsoft documented active exploitation by a threat actor that deployed Zoho RMM for persistence, QEMU VMs for stealth, and DCSync for credential theft. CISA issued a 3-day emergency remediation deadline.

Affected Versions

Technical Details

The checkCsrfTokenWo() function validates CSRF tokens for incoming requests and checks whether a URI path is in a whitelist of paths exempt from CSRF validation. The whitelist check looks for /ajax/ in the URI path. The flaw: an attacker injects /ajax/ as a fake query parameter or path suffix (e.g., ?/ajax/) that appears in the full request URL but is not actually part of the path — causing the whitelist check to pass while the request reaches a protected endpoint without a valid CSRF token.

This allows an unauthenticated attacker to interact with WebObjects components like LoginPref via the wopage parameter, creating a valid AjaxProxy instance that is then weaponized to trigger CVE-2025-40551 (deserialization).

Full attack chain:

1. CVE-2025-40536 (this CVE): CSRF bypass → unauthenticated access to restricted WHD endpoints
2. CVE-2025-40551: Untrusted Java object deserialization triggered via the AjaxProxy mechanism → Remote Code Execution as the WHD service account (typically SYSTEM)

Post-exploitation TTPs observed by Microsoft:

• PowerShell/BITS downloads for payload staging
• Zoho ManageEngine RMM agent for persistent remote access
• QEMU virtual machine deployment for stealth lateral movement
• DLL sideloading for defense evasion
• SSH tunneling for exfiltration
• DCSync for Active Directory credential dumping

Discovery

Microsoft Defender Security Research Team (Sagar Patil, Hardik Suri, Eric Hopper, Kajhon Soyini) identified active exploitation in December 2025 and published analysis February 6, 2026.

Exploitation Context

Active exploitation began in December 2025 — six weeks before the CVE was published and the patch was released, making this a zero-day. CISA's 3-day deadline (February 12–15, 2026) reflects the severity of the ongoing attacks. The threat actor deployed a sophisticated post-exploitation toolkit including Zoho RMM for persistent C2, QEMU for hosting lateral movement infrastructure invisibly, and DCSync to exfiltrate all Active Directory hashed passwords.

Remediation

1. Upgrade to WHD 2026.1 immediately — the CISA deadline was February 15, 2026; treat this as an emergency patch.
2. Hunt for Zoho ManageEngine RMM agent installations on the WHD server and adjacent hosts — this was the primary persistence mechanism.
3. Check for QEMU VM instances running on the WHD server or nearby hosts (unexpected hypervisor processes, disk image files).
4. Rotate all Active Directory credentials if DCSync was performed — assume all domain hashed passwords were exfiltrated.
5. Restrict internet access to WHD — it should be accessible only to internal users or over VPN; an internet-facing WHD instance is unnecessary for most deployments.
6. Review WHD logs for requests containing /ajax/ injected as URI parameters from unexpected source IPs.