Ghost in the Shell: Unauthenticated RCE in SolarWinds Web Help Desk
Vulnerability ID: CVE-2025-40551
CVSS Score: 9.8
Published: 2026-01-28
A critical unauthenticated remote code execution (RCE) vulnerability in SolarWinds Web Help Desk (WHD) allows attackers to execute arbitrary commands with SYSTEM privileges. The flaw stems from a dangerous combination of an authentication bypass and insecure deserialization within the legacy 'jabsorb' library, leading to a classic JNDI injection scenario.
TL;DR
Unauthenticated attackers can bypass access controls to reach a JSON-RPC endpoint, instantiate arbitrary Java classes, and trigger a JNDI injection via JNDIConnectionPool, resulting in immediate RCE as SYSTEM.
⚠️ Exploit Status: ACTIVE
Technical Details
- CWE ID: CWE-502 (Deserialization of Untrusted Data)
- Attack Vector: Network (CVSS: AV:N)
- CVSS Score: 9.8 (Critical)
- Privileges Required: None (PR:N)
- Exploit Status: Active Exploitation (CISA KEV)
- EPSS Score: 0.54991 (High Probability)
Affected Systems
- SolarWinds Web Help Desk <= 12.8.3 HF2
- SolarWinds Web Help Desk 12.8.4
- SolarWinds Web Help Desk <= 12.8.8 HF1
-
Web Help Desk: <= 12.8.8 HF1 (Fixed in:
2026.1)
Mitigation Strategies
- Immediate Patching
- Network Segmentation
- Outbound Traffic Filtering
Remediation Steps:
- Upgrade SolarWinds Web Help Desk to version 2026.1 or later.
- Verify no other versions of WHD are running in the environment.
- Block outbound LDAP/RMI access from the WHD server firewall to the internet.
- Review server logs for indicators of compromise (IOCs) such as connections to unknown IPs.
References
Read the full report for CVE-2025-40551 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)