Detect SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) in Google Chronicle
Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2025_40536_solarwinds_whd_bypass {
meta:
author = "df00tech detection engineering"
description = "Detects SolarWinds Web Help Desk security control bypass CVE-2025-40536"
severity = "HIGH"
priority = "HIGH"
reference = "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536"
cve = "CVE-2025-40536"
events:
$e.metadata.event_type = "NETWORK_HTTP"
(
$e.target.url = /\/helpdesk\// nocase or
$e.target.url = /\/WebHelpDesk\// nocase or
$e.target.url = /\/whd\// nocase
)
(
$e.network.http.method = "PUT" or
$e.network.http.method = "DELETE" or
$e.network.http.method = "PATCH" or
$e.target.url = /bypass/ nocase or
$e.target.url = /\/admin\// nocase or
$e.target.url = /\/config\// nocase or
$e.target.url = /\.\.\// nocase or
$e.target.url = /%2e%2e/ nocase
)
$e.network.http.response_code >= 200
$e.network.http.response_code < 300
condition:
$e
}Chronicle YARA-L rule to detect network HTTP events targeting SolarWinds Web Help Desk with bypass-indicative URL patterns and unexpected HTTP methods resulting in successful responses.
Data Sources
Required Tables
False Positives & Tuning
- Authorized REST API integrations sending PUT/PATCH requests to WHD ticket endpoints
- Internal automation scripts that access WHD admin configuration paths
- Load balancer health checks using non-standard HTTP methods
- Developer workstations in non-production environments with permissive access
Other platforms for CVE-2025-40536
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated Access to WHD Admin Endpoint
Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403
- Test 2HTTP Method Bypass Probe Against WHD API
Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication
- Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint
Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control
References (4)
Unlock Pro Content
Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.