CVE-2025-40536 Elastic Security · Elastic

Detect SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) in Elastic Security

Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.ip with maxspan=5m
  [network where destination.port in (8080, 8443, 443, 80) and
   url.path : ("/helpdesk/*", "/WebHelpDesk/*", "/whd/*") and
   http.request.method in ("PUT", "DELETE", "PATCH") and
   http.response.status_code in (200, 201, 204)]
  [network where destination.port in (8080, 8443, 443, 80) and
   url.path : ("/helpdesk/*", "/WebHelpDesk/*", "/whd/*") and
   (url.query : ("*bypass*", "*admin*", "*../*", "*%2e%2e*") or
    url.path : ("*/admin/*", "*/setup/*", "*/config/*", "*/security/*"))]
high severity medium confidence

EQL sequence rule detecting a pattern of suspicious HTTP interactions with SolarWinds Web Help Desk endpoints — an unusual HTTP method followed by access to sensitive paths, potentially indicating security control bypass exploitation.

Data Sources

network packet logsweb proxy logsElastic endpoint telemetry

Required Tables

logs-*filebeat-*packetbeat-*

False Positives & Tuning

  • Authorized REST API integrations using PUT or PATCH methods against WHD endpoints
  • Internal monitoring systems that perform non-standard HTTP interactions
  • Legitimate administrative workflows that access config or setup endpoints
  • Development or staging environments with relaxed access controls

Other platforms for CVE-2025-40536

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Access to WHD Admin Endpoint

    Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403

  2. Test 2HTTP Method Bypass Probe Against WHD API

    Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication

  3. Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint

    Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication ProcessT1213Data from Information Repositories

Same Tactic: Initial Access

Popular Detections