Patch Immediately: SolarWinds Warns of Remote Code Execution Risk in Web Help Desk

Published Date: September 24, 2025
Category: ShadowOpsIntel
Share:

CVE-2025-26399 is a critical Remote Code Execution (RCE) vulnerability found in SolarWinds Web Help Desk. It allows unauthenticated attackers to remotely execute arbitrary commands on the host machine. This vulnerability is especially concerning as it represents a third-level patch bypass, following CVE-2024-28986 and CVE-2024-28988, indicating persistent weaknesses in prior fixes.

Severity: Critical

Vulnerability Details

  • CVE ID: CVE-2025-26399
  • Type: Deserialization of Untrusted Data → RCE
  • CVSS Score: 9.8
  • Component Affected: AjaxProxy in SolarWinds Web Help Desk
  • Description: The vulnerability stems from improper validation of user-supplied input within the AjaxProxy component. The system deserializes untrusted data received from network requests. Without proper input validation or sanitization, attackers can craft malicious serialized objects. These objects trigger arbitrary code execution during deserialization. This unsafe deserialization allows code execution in the SYSTEM context, granting attackers full control of the affected host.
  • Patch Bypass Chain
    This CVE is not an isolated flaw, but rather part of a vulnerability patch chain:
    • CVE-2024-28986 – Original vulnerability
    • CVE-2024-28988 – Patch bypass of the above
    • CVE-2025-26399 – Current issue, bypasses the second fix
  • Affected Products: SolarWinds Web Help Desk 12.8.7 and all previous versions
  • Patched In: SolarWinds Web Help Desk 12.8.7 HF1

Exploitation

  • Attackers send crafted serialized payloads to the AjaxProxy endpoint.
  • The system deserializes them without sufficient validation.
  • Payloads execute code as SYSTEM, enabling:
    • Full remote takeover
    • Installation of persistence mechanisms
    • Lateral movement inside the corporate network
    • Potential ransomware deployment

No authentication or user interaction is required.

Recommendation

Customers running affected products should immediately download & install 12.8.7 HF1.
Steps on how to apply the hotfix is available at –
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm

      Source:

      • https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399

      Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

      No related posts found.

      Ampcus Cyber
      Privacy Overview

      This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

       Talk to an expert