CVE-2025-26399

Name of the Vulnerable Software and Affected Versions SolarWinds Web Help Desk versions ≤ 12.8.3 SolarWinds Web Help Desk versions prior to 12.8.4

Description SolarWinds Web Help Desk is susceptible to an unauthenticated remote code execution (RCE) vulnerability (CVE-2025-26399). This flaw stems from a deserialization issue within the

AjaxProxy

component, allowing attackers to execute arbitrary commands on the system without authentication. This vulnerability has been actively exploited in the wild. The vulnerability bypasses previous patches, representing the third attempt to address the issue. Attackers can send crafted POST requests to the

AjaxProxy

endpoint, deliver malicious serialized payloads, and execute commands with elevated privileges. Approximately 31,800 instances are exposed on ZoomEye.

Recommendations SolarWinds Web Help Desk versions ≤ 12.8.3: Upgrade to version 12.8.7 Hotfix 1 or 2026.1 immediately. SolarWinds Web Help Desk versions prior to 12.8.4: Upgrade to version 12.8.4 or later. Disable internet-facing access to the Web Help Desk and restrict access to VPN or internal networks. Audit systems for deserialization errors, unexpected process execution from the WHD service account, and unusual outbound connections.