好的,我现在需要帮用户总结一篇文章的内容,控制在100个字以内。首先,我得仔细阅读这篇文章,了解主要信息。 文章标题是SolarWinds Web Help Desk的反序列化漏洞,并且有活跃的利用情况。看起来这是一个安全漏洞,可能影响很大。 文章开头提到SolarWinds WHD存在一个关键的未认证反序列化漏洞,允许远程攻击者执行代码。这个漏洞被追踪为CVE-2025-40551,源于AjaxProxy功能中对攻击者控制的Java对象处理不安全。 接下来,文章提到SolarWinds已经确认在2026.1版本中修复了这个问题,之前的版本都存在风险。 然后,文章详细说明了漏洞如何被利用,包括绕过请求过滤保护、访问受限组件以及使用静态凭证。这些弱点导致AjaxProxy组件触发反序列化,进而远程执行代码。 还提到之前类似的漏洞多次被绕过,说明这个问题比较顽固。由于WHD常用于内部IT管理,被攻陷后影响很大,可能成为进一步攻击的跳板。 最后,文章提供了应对措施:运行快速响应测试、立即升级到最新版本、重新测试确认修复,并给出了指示器和时间线等信息。 总结一下主要内容:SolarWinds WHD存在严重反序列化漏洞(CVE-2025-40551),允许未认证攻击者远程执行代码;该漏洞存在于所有旧版本中;建议立即升级到2026.1版本以修复问题。 </think> SolarWinds Web Help Desk 存在严重反序列化漏洞(CVE-2025-40551),允许未认证攻击者远程执行代码并完全控制受影响系统。该漏洞源于 AjaxProxy 功能中对 Java 对象处理不安全。所有旧版本均受影响,建议立即升级至 2026.1 或更高版本以修复问题。 2026-1-28 17:52:19 Author: horizon3.ai(查看原文) 阅读量:0 收藏
SolarWinds Web Help Desk Deserialization Vulnerability | Active Exploitation
SolarWinds Web Help Desk (WHD) contains a critical unauthenticated deserialization vulnerability that allows remote attackers to achieve remote code execution on vulnerable instances. Tracked as CVE-2025-40551, the issue stems from unsafe handling of attacker-controlled Java objects within AjaxProxy functionality. Successful exploitation enables full compromise of the underlying system, including persistent access and lateral movement into internal management networks.
SolarWinds has confirmed the issues are patched in Web Help Desk version 2026.1. All prior versions should be considered vulnerable and at immediate risk.
Stop Guessing, Start Proving
What it is and why it matters
CVE-2025-40551 is reachable without authentication by chaining multiple weaknesses in SolarWinds Web Help Desk. An attacker can bypass request-filter protections to access restricted WebObjects components, tracked as CVE-2025-40536. In some environments, static credentials created during initialization, tracked as CVE-2025-40537, may further simplify access to authenticated functionality. These weaknesses allow attackers to reach AjaxProxy components and trigger unsafe Java deserialization, resulting in remote code execution.
This vulnerability follows a familiar pattern in Web Help Desk. Previous fixes for AjaxProxy deserialization issues were bypassed multiple times, including CVE-2024-28986, CVE-2024-28988, and CVE-2025-26399. CVE-2025-40551 demonstrates that attackers can still reliably reach dangerous code paths without authentication, despite multiple remediation attempts.
Because Web Help Desk is commonly deployed as an internal IT management system, compromise has an outsized impact. Successful exploitation gives attackers access to IT workflows, credentials, configuration data, and systems used for identity and access administration. In practice, Web Help Desk often becomes a pivot point for broader compromise of internal management and directory services.
NodeZero® Offensive Security Platform — Rapid Response
The SolarWinds Web Help Desk Rapid Response test (CVE-2025-40551), released January 27, 2026, enables customers to safely verify whether Web Help Desk instances are exploitable to the unauthenticated deserialization vulnerability and therefore susceptible to full system compromise, and to confirm remediation.
- Run the Rapid Response test — run the SolarWinds Web Help Desk — CVE-2025-40551 Rapid Response test from the customer portal to assess both internet-facing and internal WHD instances for unauthenticated remote code execution exposure.
- Patch immediately — upgrade SolarWinds Web Help Desk to version 2026.1 or later. No effective workarounds are available for vulnerable versions, and delaying patching leaves systems exposed to full compromise.
- Re-run the Rapid Response test — after upgrading, re-run the SolarWinds Web Help Desk Rapid Response test to confirm that the deserialization path is no longer exploitable.
If the Rapid Response test confirms exploitability, treat the system as compromised. Collect forensic artifacts, including WHD application logs, JSONRPC or AjaxProxy error logs, and access logs showing suspicious requests to Helpdesk.woa endpoints. Isolate affected systems, investigate for persistence or lateral movement, and engage your incident response team immediately.
Indicators of compromise (for hunting)
Web Help Desk log files are typically located in the application’s log directory unless otherwise configured.
| Indicator | Source | What to look for |
| Default client account login | WHD session logs | Authentication events involving the default client account, including log entries showing eventType=[login] with username=[client]. |
| JSONRPC / AjaxProxy errors | WHD application logs | Errors or unusual activity related to JSONRPC or AjaxProxy processing, including org.jabsorb.JSONRPCBridge exceptions. |
| Whitelisted payload manipulation | WHD application logs | Log entries referencing whitelisted payloads that include Java object manipulation or unexpected JSONRPC method calls. |
| Suspicious WebObjects requests | WHD access logs | Requests to /Helpdesk.woa/wo/* endpoints with unexpected or unusual query parameters. |
| Ajax whitelist bypass attempts | WHD access logs | Requests containing query parameters with the string /ajax/, which may indicate attempts to bypass request-filter protections. |
Any confirmed indicators should be treated as evidence of full system compromise and investigated accordingly.
Affected versions & patch
All SolarWinds Web Help Desk versions prior to 2026.1 are affected.
SolarWinds has released fixes in Web Help Desk version 2026.1. Organizations should assume exploitation is possible wherever vulnerable versions are reachable, even if the service is believed to be internally scoped or not intentionally exposed to the internet.
Timeline (key)
December 5, 2025 — Horizon3.ai discloses the issues to SolarWinds PSIRT
December 12, 2025 — SolarWinds confirms report validity
January 21, 2026 — SolarWinds provides a preview release
January 28, 2026 — SolarWinds releases patches publicly
References
- SolarWinds Security Advisory — SolarWinds Web Help Desk vulnerabilities
- CISA Known Exploited Vulnerabilities (KEV) Catalog
- Horizon3.ai Research Blog — SolarWinds Web Help Desk Deserialization Issues
Read about other CVEs
NodeZero® Platform
Implement a continuous find, fix, and verify loop with NodeZero
The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Recognized By
如有侵权请联系:admin#unsafe.sh