CVE-2025-40536 IBM QRadar · QRadar

Detect SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) in IBM QRadar

Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  sourceip,
  destinationip,
  URL,
  'HTTP_Method' AS method,
  'HTTP_Status_Code' AS status_code,
  starttime,
  QIDNAME(qid) AS event_name,
  logsourcename(logsourceid) AS log_source
FROM events
WHERE
  LAST 24 HOURS
  AND (
    (URL ILIKE '%/helpdesk/%' OR URL ILIKE '%/WebHelpDesk/%' OR URL ILIKE '%/whd/%')
    AND (
      URL ILIKE '%bypass%' OR
      URL ILIKE '%../% ' OR
      URL ILIKE '%admin%' OR
      URL ILIKE '%config%' OR
      URL ILIKE '%setup%' OR
      'HTTP_Method' IN ('PUT', 'DELETE', 'PATCH')
    )
    AND 'HTTP_Status_Code' IN ('200', '201', '204')
  )
ORDER BY starttime DESC
LIMIT 1000
high severity medium confidence

QRadar AQL query to identify suspicious HTTP requests targeting SolarWinds Web Help Desk, focusing on bypass-indicative URI patterns, unexpected HTTP methods, and successful responses to sensitive endpoints.

Data Sources

web proxy logsIIS logsnetwork flow dataSolarWinds WHD logs

Required Tables

events

False Positives & Tuning

  • Legitimate REST API calls from authorized integration platforms using non-standard methods
  • Internal IT operations accessing WHD admin panels during maintenance windows
  • Automated backup or reporting tools that traverse WHD administrative paths
  • Security scanners from authorized vulnerability management programs

Other platforms for CVE-2025-40536

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Access to WHD Admin Endpoint

    Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403

  2. Test 2HTTP Method Bypass Probe Against WHD API

    Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication

  3. Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint

    Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication ProcessT1213Data from Information Repositories

Same Tactic: Initial Access

Popular Detections