CVE-2025-40536 Splunk · SPL

Detect SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) in Splunk

Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

SPL Detection Query

Splunk (SPL)
spl 
index=* sourcetype IN ("solarwinds:whd", "iis", "apache_access", "nginx:plus:kv", "solarwinds:helpdesk")
| eval is_whd_path=if(match(uri_path, "(?i)/helpdesk/|/WebHelpDesk/|/whd/"), 1, 0)
| eval suspicious_bypass=if(
    match(uri_query, "(?i)bypass|admin|config|%2e%2e|\.\.[\/]") OR
    method IN ("PUT", "DELETE", "PATCH") OR
    status IN ("200", "201") AND match(uri_path, "(?i)/(admin|setup|config|security)/"),
    1, 0)
| where is_whd_path=1 AND suspicious_bypass=1
| eval cve="CVE-2025-40536"
| stats count AS request_count, values(uri_path) AS paths, values(method) AS methods, values(status) AS statuses, dc(src_ip) AS unique_src_ips BY src_ip, dest_ip, cve
| where request_count >= 3
| sort - request_count
high severity medium confidence

Detects potential exploitation of the SolarWinds Web Help Desk security control bypass by identifying suspicious HTTP requests to WHD endpoints, including unauthorized method usage and path traversal attempts, from common web access log sourcetypes.

Data Sources

SolarWinds WHD access logsIIS logsApache access logsNginx logs

Required Sourcetypes

solarwinds:whdiisapache_accesssolarwinds:helpdesk

False Positives & Tuning

  • Authorized administrative scans or health checks from known internal IP ranges
  • API integrations that use non-standard HTTP methods as part of normal operation
  • Security testing tools performing authorized vulnerability assessments
  • Misconfigured monitoring agents generating repeated requests to admin endpoints

Other platforms for CVE-2025-40536

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Access to WHD Admin Endpoint

    Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403

  2. Test 2HTTP Method Bypass Probe Against WHD API

    Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication

  3. Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint

    Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication ProcessT1213Data from Information Repositories

Same Tactic: Initial Access

Popular Detections