Skip to content

CVE-2025-40553#1710

Closed
buixor wants to merge 1 commit intomasterfrom
CVE-2025-40553
Closed

CVE-2025-40553#1710
buixor wants to merge 1 commit intomasterfrom
CVE-2025-40553

Conversation

@buixor
Copy link
Contributor

@buixor buixor commented Feb 26, 2026

Add virtual patch for CVE-2025-40553 — SolarWinds Web Help Desk Pre-Auth RCE via Jabsorb Deserialization
This PR adds a virtual patch rule and automated test for CVE-2025-40553, part of a pre-auth RCE chain (CVE-2025-40552/40553/40554) in SolarWinds Web Help Desk, disclosed by watchTowr on 2026-02-25.
Vulnerability summary: An unauthenticated attacker can POST a jabsorb deserialization payload to the AjaxProxy endpoint (/helpdesk/WebObjects/Helpdesk.woa/ajax/) using the wopage.takeValueForKey method with a javaClass gadget to achieve remote code execution.
Files added:

appsec-rules/crowdsecurity/vpatch-CVE-2025-40553.yaml — detection rule
.appsec-tests/vpatch-CVE-2025-40553/config.yaml — test configuration
.appsec-tests/vpatch-CVE-2025-40553/CVE-2025-40553.yaml — nuclei test template (validated, returns 403)

References:

https://labs.watchtowr.com/buy-a-help-desk-bundle-a-remote-access-solution-solarwinds-web-help-desk-pre-auth-rce-chain-s/
CWE-502 (Deserialization of Untrusted Data)

@github-actions
Copy link

github-actions bot commented Feb 26, 2026

Hello @buixor and thank you for your contribution!

❗ It seems that the following scenarios are not part of the 'crowdsecurity/appsec-virtual-patching' collection:

🔴 crowdsecurity/vpatch-CVE-2025-40553 🔴

@github-actions
Copy link

github-actions bot commented Feb 26, 2026

Hello @buixor and thank you for your contribution!

I'm a bot that helps maintainers to validate scenarios and ensure they include all the required information.
I've found some errors in your scenarios, please fix them and re-submit your PR, or ask for help if you need it.

The following items have errors:

crowdsecurity/crs-exclusion-plugin-cpanel:

  • labels not found

crowdsecurity/crs-exclusion-plugin-dokuwiki:

  • labels not found

crowdsecurity/crs-exclusion-plugin-drupal:

  • labels not found

crowdsecurity/crs-exclusion-plugin-nextcloud:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpbb:

  • labels not found

crowdsecurity/crs-exclusion-plugin-phpmyadmin:

  • labels not found

crowdsecurity/crs-exclusion-plugin-wordpress:

  • labels not found

crowdsecurity/crs-exclusion-plugin-xenforo:

  • labels not found

Mitre ATT&CK

Information about mitre attack can be found here.
As an example, some common mitre attack techniques:

  • T1110 for bruteforce attacks
  • T1595 and T1190 for exploitation of public vulnerabilities
  • T1595 for generic scanning of exposed applications

Expected format is (where XXXX is the technique ID):

labels:
  classification:
    - attack.TXXXX

CVEs

If your scenario covers a specific CVE (Common Vulnerabilities and Exposures), please add it.

Expected format is (where CVE-XXX-XXX is the CVE ID):

labels:
  classification:
    - cve.CVE-XXX-XXX

Behaviors

Please identify the behavior(s) your scenario is targeting. You can find the list of available behaviors here.

Expected format is (where <behavior> is the behavior you want to target):

labels:
  behavior: <behavior>

See the labels documentation for more information.

@buixor buixor closed this Feb 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@buixor