CVE-2025-40536

SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536)

Initial Access Privilege Escalation Credential Access Last updated:

Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.

Vulnerability Intelligence

KEV — Known Exploited

Affected Software

Vendor
SolarWinds
Product
Web Help Desk

Weakness (CWE)

CWE-693

Timeline

Disclosed
February 12, 2026

CVSS

Unscored
Write-up coming soon

What is CVE-2025-40536 SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536)?

SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) (CVE-2025-40536) maps to the Initial Access and Privilege Escalation and Credential Access tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536), covering the data sources and telemetry it touches: CommonSecurityLog, W3CIISLog, AzureActivity. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access
Microsoft Sentinel / Defender
kusto 
union isfuzzy=true
(
  CommonSecurityLog
  | where DeviceVendor =~ "SolarWinds" or DeviceProduct has_any ("WebHelpDesk", "Web Help Desk", "WHD")
  | where Activity has_any ("bypass", "unauthorized", "403", "401", "security control")
  | project TimeGenerated, DeviceVendor, DeviceProduct, Activity, SourceIP, DestinationIP, AdditionalExtensions
),
(
  W3CIISLog
  | where csUriStem has_any ("/helpdesk/", "/WebHelpDesk/", "/whd/")
  | where scStatus in (200, 201, 204) and (csUriQuery has_any ("bypass", "admin", "config", "../", "%2e%2e") or csMethod in ("PUT", "DELETE", "PATCH"))
  | project TimeGenerated, cIP, csUriStem, csUriQuery, scStatus, csMethod, csUsername
),
(
  AzureActivity
  | where OperationNameValue has_any ("bypass", "unauthorized access")
  | where ResourceProviderValue has "SolarWinds"
  | project TimeGenerated, CallerIpAddress, OperationNameValue, ResourceGroup
)
| extend Severity = "High"
| extend CVE = "CVE-2025-40536"

Detects anomalous HTTP requests and security events targeting SolarWinds Web Help Desk endpoints that may indicate security control bypass exploitation. Looks for suspicious URI patterns, unexpected HTTP methods on admin paths, and vendor-specific security log entries.

high severity medium confidence

Data Sources

CommonSecurityLog W3CIISLog AzureActivity

Required Tables

CommonSecurityLog W3CIISLog AzureActivity

False Positives

  • Legitimate administrative activity by authorized SolarWinds WHD administrators accessing config endpoints
  • Vulnerability scanners or penetration testing tools performing authorized assessments against WHD
  • Load balancers or health-check systems issuing non-standard HTTP methods to WHD endpoints
  • Automated integrations using API credentials that generate unusual URI query patterns

Sigma rule & cross-platform mapping

The detection logic for SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) (CVE-2025-40536) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2025-40536 Sigma rules on detection.fyi

Platform-specific guides for CVE-2025-40536

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-19 Research depth: standard
References (4)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Access to WHD Admin Endpoint

    Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403

  2. Test 2HTTP Method Bypass Probe Against WHD API

    Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication

  3. Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint

    Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control

Unlock Pro Content

Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication ProcessT1213Data from Information Repositories

Same Tactic: Initial Access

Popular Detections