Horizon3.ai researchers discovered several serious flaws in SolarWinds Web Help Desk (WHD), which culminated in unauthenticated remote code execution (RCE) via Java deserialization in CVE-2025-40551 This article explores horizon3 ai vulnerabilities. . These vulnerabilities, which affect versions before 2026, include chain static credentials, security flaws, and deserialization vulnerabilities.1.
Deserialization problems have repeatedly arisen with SolarWinds WHD, an IT service management platform for asset tracking and ticketing. Learn more Safe web hosting Cybersecurity for secure messaging apps Software for data security Consulting for computer security Tools for remote access Control of computer access Guide to Hacker Tools Tools for cloud security Dublin CVE-2024-28986, which was added to CISA's Known Exploited Vulnerabilities catalog in 2024, enabled RCE via AjaxProxy; CVE-2024-28988 and CVE-2025-26399 circumvented patches. The most recent chain circumvents sanitization in JSON-RPC handling by taking advantage of similar paths.
Vulnerability Demo (Source: Horizon3.ai) The vulnerabilities include unsafe deserialization in the jabsorb library, CSRF and request-filter bypasses, and hardcoded credentials. CVSS v3.1 Score Impact CVE-2025-40551 CVE ID Description RCE without authentication through AjaxProxy deserialization 9.8 Remote command execution CVE-2025-40537 Admin access is made possible by static "client:client" credentials 7.5 Unauthorized privilege escalation CVE-2025-40536 Bypassing protection by using a fake "-ajax?" parameter 8.1 Restricted WebObject access Attackers can get around whitelists by injecting devices like JNDI lookups, creating components with "wopage," and changing URIs from "-ajax?"
to "-wo." In order to obtain wosid and XSRF tokens, exploit chain unauthenticated attackers begin by establishing a session on the login page. In order to instantiate LoginPref and enable AjaxProxy access, they circumvent filters using "-badparam=/ajax/&wopage=LoginPref." They then POST malicious JSON payloads via JSONRPC for deserialization.
Learn more Firewall for web applications Services for cloud security MacOS security software is guided by hacker tools. Software for data security Training in ethical hacking Tools for ethical hacking Microsoft Office 365 Consulting for computer security Services for penetration testing RCE potential is confirmed by a Nuclei template that shows JNDI lookup to external servers. Look for indications of exploitation in the logs located in
Log Type IOC Example: JSONRPC errors or whd-session.log "eventType=[login], accountType=[client], username=[client]"; whd.log "Whitelisted payload with matched keyword: java.." Requests to "[Helpdesk.woa/wo/*" with non-whitelisted parameters, such as "badparam=/ajax/," are recorded in access logs. Unusual IPs compromise the signal of restricted endpoints. Mitigations Upgrade immediately to WHD 2026.1, which addresses these issues, according to SolarWinds’ release notes. Review configurations to disable default accounts and enforce strict request filtering.
Coverage exists in tools like NodeZero; monitor CISA advisories for exploitation updates.
X, LinkedIn, and X for daily updates on cybersecurity. To have your stories featured, get in touch with us.
.webp%3Fw%3D1068%26resize%3D1068%2C0%26ssl%3D1&w=3840&q=75)