Detect SolarWinds Web Help Desk Deserialization of Untrusted Data (CVE-2025-26399) in IBM QRadar
CVE-2025-26399 is a deserialization of untrusted data vulnerability (CWE-502) in SolarWinds Web Help Desk. Exploitation allows remote attackers to execute arbitrary code by sending maliciously crafted serialized Java objects to the application. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. SolarWinds Web Help Desk is widely deployed in enterprise and government environments for IT service management, making this a high-priority target for threat actors seeking privileged network access.
MITRE ATT&CK
- Tactic
- Initial Access Execution Persistence
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
LOGSOURCENAME(logsourceid) AS log_source,
username,
sourceip,
destinationip,
destinationport,
"Process Name" AS process_name,
"Parent Process Name" AS parent_process_name,
"Command" AS command_line,
CATEGORYNAME(category) AS event_category
FROM events
WHERE
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Windows Security Event Log', 'Sysmon')
AND (
(
LOWER("Parent Process Name") LIKE '%java.exe%'
AND (
LOWER("Process Name") LIKE '%cmd.exe%'
OR LOWER("Process Name") LIKE '%powershell.exe%'
OR LOWER("Process Name") LIKE '%wscript.exe%'
OR LOWER("Process Name") LIKE '%cscript.exe%'
OR LOWER("Process Name") LIKE '%mshta.exe%'
OR LOWER("Process Name") LIKE '%certutil.exe%'
)
AND (
LOWER("Parent Process Path") LIKE '%webhelpdesk%'
OR LOWER(HOSTNAME) LIKE '%whd%'
OR LOWER(HOSTNAME) LIKE '%helpdesk%'
)
)
OR (
LOGSOURCETYPENAME(devicetype) IN ('Cisco ASA', 'Palo Alto PA Series')
AND destinationport IN (4444, 9001, 1337, 8888)
AND LOWER(HOSTNAME) LIKE '%whd%'
)
)
LAST 24 HOURSQRadar AQL query detecting CVE-2025-26399 exploitation by searching for suspicious child processes spawned under the WHD Java runtime and outbound connections from WHD hosts to common reverse shell ports.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate Java-based automation on the WHD host that invokes cmd.exe or PowerShell for scripted tasks
- Security scanners executing from the WHD server that spawn subprocesses
- IT management platforms (e.g., SCCM) using Java runtimes and shell invocations
- Patching workflows that use Java-based utilities to launch installer subprocesses
Other platforms for CVE-2025-26399
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate Java Deserialization Reverse Shell Spawn (Windows)
Expected signal: Sysmon Event ID 1: ProcessCreate with ParentImage=java.exe, Image=cmd.exe, CommandLine containing 'whoami'; DeviceProcessEvents in MDE showing same relationship
- Test 2Simulate WHD Java Process Network Beacon to C2 Port
Expected signal: Sysmon Event ID 3: NetworkConnect from java.exe to 127.0.0.1:4444; MDE DeviceNetworkEvents showing RemotePort=4444 from InitiatingProcessFileName=java.exe
- Test 3Simulate Malicious Class File Drop by WHD JVM (Linux)
Expected signal: Linux auditd or Sysmon-for-Linux: file creation event under /tmp owned by webhelpdesk user, initiated by java process; file content containing shell redirect syntax
- Test 4Reproduce Serialized Object HTTP POST to WHD Endpoint (Lab)
Expected signal: WAF/proxy logs showing HTTP POST with Content-Type: application/octet-stream and body beginning with AC ED 00 05; WHD application logs showing deserialization attempt (may log exception)
Unlock Pro Content
Get the full detection package for CVE-2025-26399 including response playbook, investigation guide, and atomic red team tests.