CVE-2025-26399 Microsoft Sentinel · KQL

Detect SolarWinds Web Help Desk Deserialization of Untrusted Data (CVE-2025-26399) in Microsoft Sentinel

CVE-2025-26399 is a deserialization of untrusted data vulnerability (CWE-502) in SolarWinds Web Help Desk. Exploitation allows remote attackers to execute arbitrary code by sending maliciously crafted serialized Java objects to the application. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. SolarWinds Web Help Desk is widely deployed in enterprise and government environments for IT service management, making this a high-priority target for threat actors seeking privileged network access.

MITRE ATT&CK

Tactic
Initial Access Execution Persistence

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let WHD_Hosts = dynamic(["whd", "helpdesk", "webhelpdesk"]);
let SuspiciousProcs = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "curl.exe", "wget.exe"]);
union
(
  DeviceProcessEvents
  | where InitiatingProcessFileName =~ "java.exe" or InitiatingProcessParentFileName =~ "java.exe"
  | where FileName in~ (SuspiciousProcs)
  | where DeviceName has_any (WHD_Hosts) or FolderPath has "WebHelpDesk"
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
  | extend DetectionReason = "Suspicious child process spawned from Java (WHD deserialization)"
),
(
  DeviceNetworkEvents
  | where InitiatingProcessFileName =~ "java.exe"
  | where DeviceName has_any (WHD_Hosts) or InitiatingProcessFolderPath has "WebHelpDesk"
  | where RemotePort in (80, 443, 4444, 8080, 8443, 9001)
  | where not (RemoteIPType == "Private" and RemotePort in (80, 443, 8080, 8443))
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, RemoteIP, RemotePort, RemoteUrl
  | extend DetectionReason = "Outbound network from WHD Java process (possible reverse shell)"
),
(
  DeviceFileEvents
  | where InitiatingProcessFileName =~ "java.exe"
  | where DeviceName has_any (WHD_Hosts) or InitiatingProcessFolderPath has "WebHelpDesk"
  | where FileName endswith ".exe" or FileName endswith ".dll" or FileName endswith ".ps1" or FileName endswith ".bat" or FileName endswith ".sh"
  | where FolderPath !has "WebHelpDesk"
  | project TimeGenerated, DeviceName, AccountName, InitiatingProcessCommandLine, FileName, FolderPath, SHA256
  | extend DetectionReason = "Binary/script drop by WHD Java process"
)
| sort by TimeGenerated desc
critical severity high confidence

Detects indicators of CVE-2025-26399 exploitation against SolarWinds Web Help Desk: suspicious child processes spawned from the WHD Java runtime, unexpected outbound network connections from the WHD JVM, and file drops (executables/scripts) by the Java process outside the application directory.

Data Sources

Microsoft Defender for EndpointMicrosoft Sentinel DeviceProcessEventsMicrosoft Sentinel DeviceNetworkEventsMicrosoft Sentinel DeviceFileEvents

Required Tables

DeviceProcessEventsDeviceNetworkEventsDeviceFileEvents

False Positives & Tuning

  • Legitimate Java-based administrative tools running on the same host as Web Help Desk may trigger process-based rules
  • Scheduled maintenance tasks or automated patching processes spawning subprocesses from java.exe
  • Internal monitoring or APM agents (e.g., Dynatrace, AppDynamics) making outbound connections from the JVM
  • Software update mechanisms within Web Help Desk itself writing files to non-standard paths during upgrades

Other platforms for CVE-2025-26399

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Java Deserialization Reverse Shell Spawn (Windows)

    Expected signal: Sysmon Event ID 1: ProcessCreate with ParentImage=java.exe, Image=cmd.exe, CommandLine containing 'whoami'; DeviceProcessEvents in MDE showing same relationship

  2. Test 2Simulate WHD Java Process Network Beacon to C2 Port

    Expected signal: Sysmon Event ID 3: NetworkConnect from java.exe to 127.0.0.1:4444; MDE DeviceNetworkEvents showing RemotePort=4444 from InitiatingProcessFileName=java.exe

  3. Test 3Simulate Malicious Class File Drop by WHD JVM (Linux)

    Expected signal: Linux auditd or Sysmon-for-Linux: file creation event under /tmp owned by webhelpdesk user, initiated by java process; file content containing shell redirect syntax

  4. Test 4Reproduce Serialized Object HTTP POST to WHD Endpoint (Lab)

    Expected signal: WAF/proxy logs showing HTTP POST with Content-Type: application/octet-stream and body beginning with AC ED 00 05; WHD application logs showing deserialization attempt (may log exception)

Last updated: 2026-06-19 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2025-26399 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0003Persistence

Related Techniques

T1190Exploit Public-Facing ApplicationT1059Command and Scripting InterpreterT1027Obfuscated Files or InformationT1136Create Account

Same Tactic: Initial Access

Popular Detections