A critical vulnerability tracked as CVE-2025-26399 affects SolarWinds Web Help Desk (WHD), a widely used IT service management platform for ticketing and asset management. The flaw enables unauthenticated remote code execution (RCE) through insecure deserialization within the AjaxProxy component, allowing attackers to execute arbitrary commands on affected servers without authentication.

With a CVSS score of 9.8, the vulnerability is considered critical due to its low attack complexity and the ability to compromise systems remotely over the network.

Affected Systems

The vulnerability affects the following:

• SolarWinds Web Help Desk version 12.8.7 and earlier

Organizations running publicly exposed WHD instances are particularly at risk, as attackers can exploit the vulnerability without valid credentials.

Technical Analysis

Root Cause

The vulnerability arises from improper handling of serialized objects within the AjaxProxy class. The application processes serialized input received via HTTP requests without adequately validating or restricting the data structures being deserialized.

This results in a classic Java deserialization attack, where an attacker supplies specially crafted serialized objects that trigger code execution during the deserialization process.

Exploitation Flow

A typical exploitation chain may involve:

1. Attacker sends a crafted request to the AjaxProxy endpoint.
   
2. The server processes serialized input supplied by the attacker.
   
3. Malicious serialized objects trigger execution of attacker-controlled code.
   
4. The payload executes with SYSTEM privileges on the host.

Security Context and Patch Bypass History

CVE-2025-26399 represents a third-generation vulnerability related to the same underlying flaw, following:

• CVE-2024-28986: Original RCE vulnerability
  
• CVE-2024-28988: First patch bypass
  
• CVE-2025-26399: Second patch bypass
  

This lineage suggests that earlier patches did not fully remediate the insecure deserialization issue within the application’s architecture.

Repeated patch bypasses increase the likelihood that:attackers will continue targeting the platform and organizations remain vulnerable despite earlier patching.

Observed Threat Activity

Recent investigations by security researchers indicate active exploitation of SolarWinds Web Help Desk vulnerabilities in the wild. Threat actors are targeting internet-exposed WHD instances to gain an initial foothold in enterprise environments.

Observed attack chains typically begin with exploitation of vulnerable WHD servers to achieve initial access. Once access is established, attackers may deploy remote management tools or malware to maintain control of the compromised system.

From there, threat actors often conduct internal reconnaissance and attempt lateral movement across the network. These activities may ultimately lead to attempts to access sensitive infrastructure assets, internal systems, or operational data within the environment.

Impact Assessment

Successful exploitation of CVE-2025-26399 may allow attackers to execute arbitrary commands on the affected server with elevated privileges. This level of access enables the deployment of malware, persistence mechanisms, or additional tooling designed to maintain long-term control of the compromised system.

Attackers may also gain access to sensitive data stored within the Web Help Desk platform, including ticketing records, IT asset inventories, and operational information. With control of the WHD server, threat actors could pivot to other systems in the network and move laterally to expand their access.

Because Web Help Desk systems often contain IT asset inventories, credentials, and operational workflows, compromise could significantly impact enterprise IT operations.

Mitigation and Remediation

Organizations should take the following actions immediately:

Apply Security Updates

Update SolarWinds Web Help Desk to the latest patched version or hotfix provided by the vendor.

Restrict External Exposure

• Avoid exposing Web Help Desk servers directly to the internet.
  
• Place WHD behind VPN or secure gateways.

Monitor for Suspicious Activity

Look for:

• Unexpected requests to AjaxProxy endpoints
  
• Suspicious command execution on WHD servers
  
• Creation of unauthorized accounts
  
• Unusual outbound network connections
  

Strengthen Logging and Monitoring

Enable:

• Detailed application logs
  
• Network monitoring for suspicious traffic
  
• Endpoint detection for command execution anomalies
  
  

Stay Safe. Stay Secure

OP Innovate