CVE-2025-40536 Sumo Logic CSE · Sumo

Detect SolarWinds Web Help Desk Security Control Bypass (CVE-2025-40536) in Sumo Logic CSE

Detects exploitation of CVE-2025-40536, a security control bypass vulnerability (CWE-693) in SolarWinds Web Help Desk. This vulnerability is actively exploited in the wild (CISA KEV) and allows attackers to bypass authentication or authorization controls within the Web Help Desk application. Successful exploitation may enable unauthorized access to ticketing data, credential stores, or administrative functions.

MITRE ATT&CK

Tactic
Initial Access Privilege Escalation Credential Access

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*solarwinds* OR _sourceCategory=*helpdesk* OR _sourceCategory=*whd* OR _sourceCategory=*iis*
| parse regex "(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" nodrop
| parse regex "(?<method>GET|POST|PUT|DELETE|PATCH|HEAD|OPTIONS) (?<uri_path>/[^\s]*)" nodrop
| parse regex "HTTP/[\d\.]+\" (?<status_code>\d{3})" nodrop
| where uri_path matches "/helpdesk/*" or uri_path matches "/WebHelpDesk/*" or uri_path matches "/whd/*"
| where (method in ("PUT","DELETE","PATCH") and status_code in ("200","201","204"))
   or uri_path matches "*admin*"
   or uri_path matches "*config*"
   or uri_path matches "*bypass*"
   or uri_path matches "*../*"
| count by src_ip, method, uri_path, status_code
| where _count >= 2
| sort by _count desc
high severity medium confidence

Sumo Logic query to surface potential CVE-2025-40536 exploitation activity by parsing web access logs for suspicious request patterns targeting SolarWinds Web Help Desk paths.

Data Sources

SolarWinds WHD access logsIIS access logsweb proxy logs

Required Tables

_sourceCategory=solarwinds_sourceCategory=helpdesk_sourceCategory=iis

False Positives & Tuning

  • Authorized administrators performing maintenance via REST API using non-GET methods
  • Monitoring tools that periodically probe WHD health and admin endpoints
  • ITSM integrations that legitimately update tickets via PUT or PATCH requests
  • Security compliance tools scanning WHD for configuration drift

Other platforms for CVE-2025-40536

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Unauthenticated Access to WHD Admin Endpoint

    Expected signal: HTTP request to WHD ticket creation endpoint without session cookie; response code 200 or redirect to a normally-protected resource instead of 401/403

  2. Test 2HTTP Method Bypass Probe Against WHD API

    Expected signal: HTTP PUT request to WHD REST API ticket endpoint without valid session; response code 200 or 204 indicating the operation succeeded without authentication

  3. Test 3Path Traversal Bypass Attempt on WHD Configuration Endpoint

    Expected signal: HTTP GET request containing path traversal sequence /../ targeting WHD admin path; 200 response code indicating bypass of path-level access control

Last updated: 2026-06-19 Research depth: standard
References (4)

Unlock Pro Content

Get the full detection package for CVE-2025-40536 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0004Privilege EscalationTA0006Credential Access

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1556Modify Authentication ProcessT1213Data from Information Repositories

Same Tactic: Initial Access

Popular Detections