Detect SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) in Microsoft Sentinel
Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.
MITRE ATT&CK
KQL Detection Query
union isfuzzy=true
(
CommonSecurityLog
| where DeviceVendor =~ "SolarWinds" or DeviceProduct has_any ("WebHelpDesk", "Web Help Desk", "WHD")
| where Activity has_any ("bypass", "unauthorized", "403", "401", "security control")
| project TimeGenerated, DeviceVendor, DeviceProduct, Activity, SourceIP, DestinationIP, AdditionalExtensions
),
(
W3CIISLog
| where csUriStem has_any ("/helpdesk/", "/WebHelpDesk/", "/whd/")
| where scStatus in (200, 201, 204) and (csUriQuery has_any ("bypass", "admin", "config", "../", "%2e%2e") or csMethod in ("PUT", "DELETE", "PATCH"))
| project TimeGenerated, cIP, csUriStem, csUriQuery, scStatus, csMethod, csUsername
),
(
AzureActivity
| where OperationNameValue has_any ("bypass", "unauthorized access")
| where ResourceProviderValue has "SolarWinds"
| project TimeGenerated, CallerIpAddress, OperationNameValue, ResourceGroup
)
| extend Severity = "High"
| extend CVE = "CVE-2025-40536"Detects anomalous HTTP requests and security events targeting SolarWinds Web Help Desk endpoints that may indicate security control bypass exploitation. Looks for suspicious URI patterns, unexpected HTTP methods on admin paths, and vendor-specific security log entries.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate administrative activity by authorized SolarWinds WHD administrators accessing config endpoints
- Vulnerability scanners or penetration testing tools performing authorized assessments against WHD
- Load balancers or health-check systems issuing non-standard HTTP methods to WHD endpoints
- Automated integrations using API credentials that generate unusual URI query patterns
Other platforms for CVE-2025-40536
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Unauthenticated Access to WHD Admin Endpoint
Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403
- Test 2HTTP Method Bypass Probe Against WHD API
Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication
- Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint
Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control
References (4)
Unlock Pro Content
Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.