Share
## https://sploitus.com/exploit?id=8A6FA74F-A4B7-598D-932A-0A26436B9BC2
# CVE-2025-40552 and CVE-2025-40553 SolarWinds Web Help Desk Pre-Auth RCE Chain

SolarWinds Web Help Desk Pre-Auth RCE Chain Detection Artifact Generator Tool

# Description

This Detection Artifact Generator verifies if SolarWinds Web Help Desk instance is vulnerable to CVE-2025-40552 and CVE-2025-40553.

Detection Artifact Generator attempts to perform two operations:
* Bypass authentication with CVE-2025-40552 - this check is very accurate.
* If it is successful, it tries to verify the CVE-2025-40553 RCE through the execution of `cmd.exe /c whoami` command - this check is not 100% accurate, as it's based on the error messages that may vary depending on the environment.

**ATTENTION** - during the RCE testing, the script will create `SWWHDDAG` table in the `postgres` database.

After the test, you can verify if the command output exists in the database:

```
> SELECT * FROM public.swwhddagmm2t6t79

"output"
"nt authoritysystem"
```

# Detection in Action

Test against vulnerable instance:

```
$ python3 watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py -H https://vulnerable.lab:8443
                         __         ___  ___________                   
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________ 
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(   \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|   
                                  \/          \/     \/                            
          
        watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py
        (*) CVE-2025-40552 + CVE-2025-40553 Pre-Auth RCE Chain in SolarWinds Web Help Desk - Detection Artifact Generator

          - Piotr Bazydlo (@chudyPB) of watchTowr 

        CVEs: CVE-2025-40552 and CVE-2025-40553

[+] Testing CVE-2025-40552 Authentication Bypass
        [+] Triggering error and poisoning context cache with LookAndFeelPref
[+] VULNERABLE to CVE-2025-40552 Authentication Bypass
[+] Testing CVE-2025-40553 RCE
        [+] This stage will create SWWHDDAGp08zwfs6 DB table if successful
        [+] Verifying deserialization and serialization of org.apache.commons.dbcp2.BasicDataSource
[+] PROBABLY VULNERABLE: Connection validated and SQL queries can be executed
        [+] Executing "cmd.exe /c whoami" - verify locally if it worked
```

Test against not vulnerable instance:

```
$ python3 watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py -H https://notvulnerable.lab:8443
                         __         ___  ___________                   
         __  _  ______ _/  |__ ____ |  |_\__    ____\____  _  ________ 
         \ \/ \/ \__  \    ___/ ___\|  |  \|    | /  _ \ \/ \/ \_  __ \
          \     / / __ \|  | \  \___|   Y  |    |(   \     / |  | \/
           \/\_/ (____  |__|  \___  |___|__|__  | \__  / \/\_/  |__|   
                                  \/          \/     \/                            
          
        watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py
        (*) CVE-2025-40552 + CVE-2025-40553 Pre-Auth RCE Chain in SolarWinds Web Help Desk - Detection Artifact Generator

          - Piotr Bazydlo (@chudyPB) of watchTowr 

        CVEs: CVE-2025-40552 and CVE-2025-40553

[+] Testing CVE-2025-40552 Authentication Bypass
        [+] Triggering error and poisoning context cache with LookAndFeelPref
[-] NOT VULNERABLE to CVE-2025-40552, exiting
```

# Affected Versions

`< SolarWinds Web Help Desk 2026.1`

References: https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm

# Follow [watchTowr](https://watchTowr.com) Labs

For the latest security research follow the [watchTowr](https://watchTowr.com) Labs Team 

- https://labs.watchtowr.com/

- https://x.com/watchtowrcyber