CVE-2025-40536 CrowdStrike LogScale · LogScale

Detect SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) in CrowdStrike LogScale

Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#repo=base_activity
NetworkConnect
| filter RemotePort in (80, 443, 8080, 8443)
| filter ImageFileName matches "(?i)java|tomcat|whd|helpdesk"
| join kind=inner (
    HttpRequest
    | filter Url matches "(?i)/helpdesk/|/WebHelpDesk/|/whd/"
    | filter HttpMethod in ("PUT", "DELETE", "PATCH")
      or Url matches "(?i)bypass|admin|config|setup|security|%2e%2e|\.\./"
    | filter HttpStatusCode >= 200 and HttpStatusCode < 300
  ) on aid, ContextProcessId
| project timestamp, aid, UserName, RemoteAddressIP4, Url, HttpMethod, HttpStatusCode, ImageFileName, CommandLine
| sort timestamp desc
high severity medium confidence

CrowdStrike CQL query correlating network connections from Java/Tomcat processes hosting SolarWinds Web Help Desk with suspicious HTTP request patterns, helping identify potential bypass exploitation on the endpoint itself.

Data Sources

CrowdStrike Falcon endpoint telemetrynetwork connection eventsHTTP request events

Required Tables

base_activityNetworkConnectHttpRequest

False Positives & Tuning

  • Legitimate WHD administrative sessions by IT staff from known workstations
  • Authorized API integrations running on managed endpoints that use non-standard HTTP methods
  • Security tooling or scanners running on monitored endpoints performing WHD assessments
  • Java-based automation tools that legitimately interact with WHD REST endpoints

Other platforms for CVE-2025-40536

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Access to WHD Admin Endpoint

    Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403

  2. Test 2HTTP Method Bypass Probe Against WHD API

    Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication

  3. Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint

    Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication ProcessT1213Data from Information Repositories

Same Tactic: Initial Access

Popular Detections