CVE-2025-40551

What is SolarWinds Web Help Desk?

SolarWinds Web Help Desk (WHD) is an IT service management (ITSM) and help desk ticketing platform used by organizations to manage IT support requests, asset tracking, and change management. It is deployed on-premises and often has network-wide access to IT assets — integration with Active Directory, LDAP, SNMP monitoring, and direct access to internal systems. Because Web Help Desk sits at the center of IT operations, its compromise gives an attacker visibility into IT infrastructure, access to stored credentials, and a trusted internal pivot point. SolarWinds products have been a recurring target following the high-profile SolarWinds SUNBURST supply chain attack of 2020.

Overview

CVE-2025-40551 is a critical pre-authentication Java deserialization vulnerability (CWE-502, CVSS 9.8) in SolarWinds Web Help Desk. The AjaxProxy functionality uses the jabsorb JSON-RPC library to dynamically execute component actions. A sanitization routine checks for "ajax" in the URI — but the nearly identical wo (WebObjects) handler path bypasses this check (tracked separately as CVE-2025-40536). An unauthenticated attacker sends a crafted HTTP request containing a malicious serialized Java object, which the application deserializes and executes with the privileges of the Web Help Desk service account. CISA added it to the KEV catalog 6 days after the advisory with a 3-day remediation deadline — among the shortest in KEV history — indicating evidence of active exploitation.

Affected Versions

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) is in WHD's AjaxProxy component and the jabsorb JSON-RPC library it uses. The application uses jabsorb to dynamically resolve and invoke server-side Java components based on the request URI and JSON-RPC method call.

A sanitization routine checks whether the request URI contains the string "ajax" before allowing jabsorb deserialization to proceed. However, the handler that processes wo (WebObjects) component requests is functionally identical to the ajax handler — it uses the same jabsorb library with the same gadget-chain-enabling code paths. By changing the URI from the ajax path to the wo path, the attacker bypasses the sanitization check entirely.

The unauthenticated attacker then submits a crafted HTTP request to the unprotected wo endpoint containing a malicious serialized Java object. Using publicly known jabsorb gadget chains, the deserialization triggers arbitrary code execution as the Web Help Desk service account (typically a privileged Windows service account or a Linux user). This attack is also tracked as CVE-2025-40536 for the sanitization bypass component; CVE-2025-40551 through CVE-2025-40554 cover four distinct vulnerabilities disclosed simultaneously.

Discovery

Discovered by Horizon3.ai, who published a technical analysis and proof-of-concept. Rapid7 published an independent ETR (Exploitability This Round) analysis covering all four co-disclosed vulnerabilities. SecurityWeek noted the flaws were "potentially exploited as zero-days."

Exploitation Context

CISA added CVE-2025-40551 to the KEV catalog on 3 February 2026 — just 6 days after the advisory — with a 3-day remediation deadline (6 February 2026). This is one of the shortest deadlines CISA has ever issued, reflecting strong evidence of active exploitation. SolarWinds confirmed exploitation. SecurityWeek described the vulnerabilities as "potentially exploited as zero-days," suggesting exploitation may have preceded the public advisory. Full system compromise enables: persistent access to IT management infrastructure, harvesting of Active Directory and LDAP credentials, access to all help desk tickets and IT asset inventory, and lateral movement to any system managed by Web Help Desk.

Remediation

1. Upgrade SolarWinds Web Help Desk to version 2026.1 immediately — this is the only remediation. Download from the SolarWinds Customer Portal.
2. Also apply patches for co-disclosed CVEs (CVE-2025-40552, CVE-2025-40553, CVE-2025-40554) — all addressed in the 2026.1 release.
3. Restrict WHD network access: apply firewall rules to limit HTTPS access to the Web Help Desk server to trusted internal networks and administrative subnets only. WHD should never be directly internet-accessible.
4. Audit WHD logs for unexpected AjaxProxy or wo requests containing serialized Java content — anomalous POST request sizes to these endpoints are an indicator.
5. Review Active Directory and LDAP credentials stored in WHD configuration — rotate any service account passwords if compromise is suspected.
6. Check WHD's integration points: any system WHD has agent-based or API-based access to should be reviewed for unauthorized activity if WHD is compromised.
7. Review all WHD admin accounts for unauthorized additions — attackers with RCE will typically create backdoor accounts to maintain persistence.