Full Report
In 2024, SolarWinds Web Help Desk made headlines after being exploited in the wild with an RCE via Java deserialization. The issue was pre-auth, and led to several others being discovered in that year. The post goes through several new bugs they discovered in SolarWinds in recent months. CVE-2024-28986 is a good case study. The application uses the Java WebObjects framework. It's a stateful web framework where the final path contains many numbers that represent the user's state. The first number is the current state (operation counter), which increments with each action. The other values have a hierarchy of pages and components currently in use. WebObjects requires traversing the full component hierarchy to reach a given page or component. The API request /helpdesk/WebObjects/Helpdesk.woa/ajax/9.7.43.0.0.0.4.3.7.0.7.1.1.1 contains a method and params parameters in JSON. Upon seeing this, they found the method takeValueForKey(), which performs deserialization via a custom JSON-to-Java bridge. Further down the path, it's a classic setter-based deserialization attack where the attacker controls the target type. WrapperConnectionPoolDataSource contains one and this leads to RCE CVE-2025-26399 was a bypass for the original SolarWinds issue. The patch added a regex-based check for which classes were NOT allowed via a blacklist. The request JSON body is decoded with Apache Commons. The same JSON is extracted via a different parser in org.json.JSONObject. They found an encoding difference between the libraries... Apache Commons didn't support short hex escape sequences (2 bytes instead of 4), but the JSONObject did. So, java\\x43lass bypassed the check. Crazily enough, this wasn't how CVE-2025-26399 was exploited. The new sanitizeRequest method parses the JSON into Jackson and checks whether the Params key is there. If so, it overrides params with an empty array. Why? If the request includes parameters for AjexProxy, it strips them away. Using the same trick as before, this can be bypassed with p\\x61rams. Jackson doesn't see the \\x escape, and the sanitizer logic is bypassed. So, this creates a new zero-day on SolarWinds! They found an authentication bypass through the odd routing in Java WebObjects. Java WebObjects is supposed to enforce hierarchical page traversal, but the wopage parameter allows selecting an arbitrary page. Using this, it's possible to access any page without authentication. Putting this together with the previous RCE bug and a new gadget, they got a pre-auth RCE. They had an additional authentication bypass that was less powerful. Overall, a great post on real vulnerability discovery. It's funny they found a bypass for a fix without even realizing it initially... patch bypasses are fairly common, especially with something like SolarWinds that feels like a game of wack-a-mole with its design.
Analysis Summary
# Vulnerability: SolarWinds Web Help Desk Pre-Auth RCE Chain
## CVE Details
- **CVE ID:** CVE-2025-40552, CVE-2025-40553, CVE-2025-40554
- **CVSS Score:** 9.8 (Critical) - *Estimated based on pre-auth RCE impact*
- **CWE:** CWE-502 (Deserialization of Untrusted Data), CWE-288 (Authentication Bypass Using an Alternate Path)
## Affected Systems
- **Products:** SolarWinds Web Help Desk (WHD)
- **Versions:** All versions prior to the January 28, 2025 patch (e.g., versions affected by previous 2024/2025 N-days).
- **Configurations:** Systems exposed to the network/internet; specifically those utilizing the Java WebObjects framework.
## Vulnerability Description
This exploit chain involves three primary flaws discovered as bypasses to previous fixes:
1. **Auth Bypass (CVE-2025-40552 / CVE-2025-40554):** Exploits the routing logic of the legacy Java WebObjects framework. While the framework intends to enforce hierarchical page traversal, the `wopage` parameter can be manipulated to select arbitrary pages, bypassing authentication checks.
2. **RCE via Deserialization (CVE-2025-40553):** A bypass of the CVE-2025-26399 patch. The original patch used a regex blacklist and Jackson-based sanitization to strip the `params` key. However, researchers found an encoding discrepancy: by using hex escape sequences (e.g., `p\x61rams`), the attacker can bypass the Jackson-based "sanitizeRequest" method while still being processed by the underlying `org.json.JSONObject` parser, leading to a setter-based deserialization attack (using gadgets like `WrapperConnectionPoolDataSource`).
## Exploitation
- **Status:** PoC developed by researchers; similar flaws (CVE-2024-28986) have been exploited in the wild.
- **Complexity:** Medium (Requires specific knowledge of Java WebObjects routing and serialization gadgets).
- **Attack Vector:** Network (Remote, Pre-Authentication).
## Impact
- **Confidentiality:** High (Full access to help desk tickets, asset data, and internal databases).
- **Integrity:** High (Ability to execute arbitrary commands on the host system).
- **Availability:** High (Potential for full system takeover or service disruption).
## Remediation
### Patches
- **Update to the latest SolarWinds Web Help Desk version** released on or after **January 28, 2025**. This update addresses the bypasses identified as CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554.
### Workarounds
- Restrict access to the Web Help Desk interface to authorized IP ranges or via VPN only.
- Implement a Web Application Firewall (WAF) to block requests containing suspicious hex-encoded JSON keys (e.g., `\x` sequences) and direct `wopage` parameter manipulation.
## Detection
- **Indicators of Compromise:**
- High frequency of requests to `/helpdesk/WebObjects/Helpdesk.woa/ajax/` containing encoded JSON keys.
- Presence of `wopage` parameters in logs targeting administrative or internal pages.
- Unexpected child processes spawned by the Java Web Help Desk process.
- **Tools:** A Detection Artifact Generator (DAG) is available via the watchTowr Labs GitHub repository: `github[.]com/watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553`.
## References
- **Vendor Advisory:** [SolarWinds Trust Center]
- **Research Source:** [labs[.]watchtowr[.]com/buy-a-help-desk-bundle-a-remote-access-solution-solarwinds-web-help-desk-pre-auth-rce-chains/]
- **Related Advisories:** [www[.]zerodayinitiative[.]com/advisories/ZDI-25-906/]