Suspicious SolarWinds Web Help Desk Java Module Load or Child Process

This threat brief focuses on detecting potential exploitation of SolarWinds Web Help Desk through deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551). Successful exploitation can lead to remote code execution by loading malicious SQLite extensions. The detection strategy centers on identifying unusual behaviors of the Web Help Desk Java process, such as loading untrusted or remote native modules (DLLs) or spawning suspicious child processes like cmd, PowerShell, or rundll32. These actions are not typical for a legitimate Web Help Desk server and may indicate a compromise. The references indicate public awareness of these vulnerabilities and available Metasploit modules, increasing the likelihood of exploitation attempts. This activity warrants close monitoring to prevent unauthorized access and potential data breaches.

Attack Chain

1. An attacker exploits a deserialization vulnerability (CVE-2025-40536, CVE-2025-40551) in SolarWinds Web Help Desk.
2. The vulnerability allows the attacker to inject malicious code into the Java process responsible for running the Web Help Desk server (java.exe).
3. The attacker leverages the injected code to load a malicious SQLite extension in the form of a DLL file.
4. The malicious DLL is loaded into the Java process from a remote or untrusted location, such as a network share (\Device\Mup...) or a temporary directory.
5. Alternatively, the attacker uses the Java process to spawn a suspicious child process, such as cmd.exe, powershell.exe, or rundll32.exe.
6. The child process executes malicious commands, downloads payloads, or performs other unauthorized actions on the system.
7. The attacker gains remote code execution on the Web Help Desk server.
8. The attacker may further compromise the system, exfiltrate sensitive data, or establish persistence for future access.

Impact

Successful exploitation of these deserialization vulnerabilities in SolarWinds Web Help Desk can lead to remote code execution on the affected server. This could result in the compromise of sensitive data stored within the Web Help Desk application, such as user credentials, support tickets, and internal documentation. An attacker could also use the compromised server as a pivot point to gain access to other systems within the organization’s network, leading to a wider breach. The impact is significant given the potential for data loss, system disruption, and reputational damage.

Recommendation

• Deploy the provided Sigma rules to your SIEM to detect suspicious DLL loads and child processes spawned by the Web Help Desk Java process, specifically looking for unsigned DLLs, DLLs loaded from remote locations, and suspicious child processes like cmd.exe, powershell.exe, or rundll32.
• Investigate any alerts generated by the Sigma rules, focusing on the DLL path (dll.path), code signature status (dll.code_signature.trusted), and child process command line (process.command_line).
• Apply the vendor patches or workarounds for CVE-2025-40536 and CVE-2025-40551 on all SolarWinds Web Help Desk instances to prevent exploitation.
• Monitor network traffic from the Web Help Desk server for suspicious outbound connections, particularly SMB traffic to unusual destinations, which could indicate the loading of remote DLLs.
• Enable endpoint detection and response (EDR) solutions on Web Help Desk servers to provide enhanced visibility into process activity, DLL loading, and network connections.