id: CVE-2025-40554

info:
  name: CVE-2025-40554 - SolarWinds Web Help Desk Authentication Bypass
  author: rxerium
  severity: critical
  description: |
    SolarWinds Web Help Desk version 12.8.8 Hotfix 1 and prior contains a critical authentication bypass vulnerability (CWE-1390: Weak Authentication) that allows a remote unauthenticated attacker to execute actions or methods on a target system which are intended to be gated by authentication. With a CVSS score of 9.8, this vulnerability can be exploited over the network with low complexity, requires no privileges, and has high impact on confidentiality, integrity, and availability. Based upon the vendor supplied CVSS scores, the impact is equivalent to the RCE deserialization vulnerabilities, likely meaning it can also be leveraged for remote code execution. This vulnerability was discovered by watchTowr's Piotr Bazydlo and disclosed on January 28, 2026. Customers are advised to update to Web Help Desk version 2026.1 on an urgent basis outside of normal patching cycles.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-40554
    - https://www.rapid7.com/blog/post/etr-multiple-critical-solarwinds-web-help-desk-vulnerabilities-cve-2025-40551-40552-40553-40554/
    - https://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/
  metadata:
    verified: true
    max-request: 1
    vendor: SolarWinds
    product: Web Help Desk
    cvss-score: 9.8
    cwe-id: CWE-1390
    cisa-kev: false
    shodan-query: http.favicon.hash:"1895809524"
  tags: cve,cve2025,solarwinds,webhelpdesk,authbypass,rce

http:
  - method: GET
    path:
      - "{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa"

    stop-at-first-match: true
    host-redirects: true
    max-redirects: 2

    extractors:
      - type: regex
        name: build_token
        part: body
        group: 1
        regex:
          - "\\?v=([0-9]+_[0-9]+_[0-9]+_[0-9]+)"
        internal: true

      - type: dsl
        name: version
        dsl:
          - "replace(build_token, '_', '.')"

    matchers-condition: and
    matchers:
      - type: word
        words:
          - "Web Help Desk Software"
          - "SolarWinds WorldWide"
          - "/WebObjects/Helpdesk.woa"
          - "HCS Web Help Desk"
        condition: or

      - type: dsl
        dsl:
          - "compare_versions(version, '< 2026.1')"
# *Patched version is 2026.1, so any version below 2026.1 is vulnerable (includes all 12.8.8 Hotfix 1 and earlier versions).*
# versions: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/release_notes_aggregator.htm?v=2026-1&sort=product&expand=false