CVE-2025-26399

Name of the Vulnerable Software and Affected Versions SolarWinds Web Help Desk versions prior to 2026.1

Description An unauthenticated remote code execution flaw exists in the 'AjaxProxy' component of SolarWinds Web Help Desk. The issue is caused by the deserialization of untrusted data, where attacker-controlled Java objects are processed without proper validation. This allows a remote attacker to send crafted POST requests to the 'AjaxProxy' endpoint to execute arbitrary commands on the host machine with service account privileges. This issue represents a bypass of two previous patch attempts. Real-world exploitation has been observed, including use by the Warlock ransomware group and the GOLD ENCOUNTER group, often involving lateral movement across networks and the deployment of ransomware or mining rigs.

Recommendations Update to version 2026.1. Update to version 12.8.7 Hotfix 1. Disable internet-facing access and restrict the software to VPN or internal networks. Restrict access to the 'AjaxProxy' component to minimize the risk of exploitation.