Watchtowr Labs researchers discovered three new vulnerabilities in SolarWinds Web Help Desk while attempting to reproduce a known CVE. The chain includes two authentication bypass flaws (CVE-2025-40552, CVE-2025-40554) and a pre-auth RCE via deserialization (CVE-2025-40553). The post details how the legacy Java WebObjects framework exposes an AjaxProxy component vulnerable to setter-based deserialization via the jabsorb library. It walks through bypassing SolarWinds' patch for CVE-2025-26399 using a custom \x hex escape sequence that Jackson ignores but the old JSONObject parser decodes. After the C3P0 gadget was removed by SolarWinds, researchers found a new RCE path using Apache Commons DBCP2's BasicDataSource to connect to a bundled PostgreSQL instance (configured with no-auth trust for local connections) and execute OS commands via COPY FROM PROGRAM as SYSTEM.
Table of contents
What Is SolarWinds Web Help Desk?Why Are We Crying?History Lesson - SolarWinds Web Help Desk Deserialization “Challenges”SolarWinds WHD Deserialization CVE-2024-28986 - A Brief ExplainerReproducing CVE-2025-26399 - Deserialization RCEReproducing CVE-2025-26399 - Bypassing checkSuspeciousPayloadReproducing CVE-2025-26399 - Bypassing Regex CheckReproducing CVE-2025-26399 - Bypassing the Length CheckReproducing CVE-2025-26399 - Proof of ConceptDiscovering WT-2025-0100/CVE-2025-40553 - Deserialization RCE via CVE-2025-26399 Patch BypassDiscovering WT-2025-0099/CVE-2025-40552 and WT-2025-0101/CVE-2025-40554 - Authentication BypassA Failed Attempt At Combining WT-2025-0099 (CVE-2025-40552) and WT-2025-0100 (CVE-2025-40553)Revisiting WT-2025-0100/CVE-2025-40553 Again: SQL Query Execution GadgetBringing It All Together - CVE-2025-40552/WT-2025-0099 and CVE-2025-40553/WT-2025-0100 Pre-Auth RCE ChainDetection Artifact GeneratorTimelineGain early access to our research, and understand your exposure, with the watchTowr PlatformSort: