CVE-2025-26399: Critical RCE in SolarWinds Web Help Desk Receives a Hotfix

Another critical security vulnerability has emerged in SolarWinds’ widely used Web Help Desk software. Marked with a near-maximum CVSS score of 9.8, the newly disclosed flaw opens the door for attackers to execute arbitrary code remotely without needing authentication.

What makes this issue particularly alarming is its lineage: it’s the third attempt to fix the same underlying weakness.

What is CVE-2025-26399?

CVE-2025-26399 (CVSS 9.8) exists in the AjaxProxy component of SolarWinds Web Help Desk. It stems from improper deserialization of user-supplied data, which can be exploited to gain Remote Code Execution (RCE) on the host machine. This flaw does not require authentication, making it especially attractive to attackers.

More notably, this is not the first time this issue has surfaced. CVE-2025-26399 is a patch bypass of CVE-2024-28988, which was a patch bypass for CVE-2024-28986. All three vulnerabilities carry the same critical 9.8 CVSS score, underscoring the persistent risk.

CVE-2025-26399 (SOCRadar Vulnerability Intelligence)

While CVE-2025-26399 has not yet been seen in active exploitation, the original vulnerability in this chain (CVE-2024-28986) was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog following its disclosure. Given this precedent, organizations should treat this new bypass with high priority.

The flaw was responsibly disclosed by an “anonymous” working with Trend Micro Zero Day Initiative.

Which Versions of SolarWinds Web Help Desk Are Affected?

Every version of Web Help Desk up to and including 12.8.7 is vulnerable. To address this, SolarWinds has released Hotfix 1 for version 12.8.7, which modifies critical JAR files and introduces a new dependency to better secure the AjaxProxy deserialization process.

Technical Details of the Fix for CVE-2025-26399

Hotfix 1 makes the following updates in the Web Help Desk’s library directory:

• Adds: HikariCP.jar
• Replaces: whd-core.jar, whd-web.jar, and whd-persistence.jar
• Removes: c3p0.jar

Administrators must stop the application, back up the affected files, and replace them with the hotfix versions to complete the patching process.

What Should Organizations Do Now?

Organizations using SolarWinds Web Help Desk should:

• Immediately apply Hotfix 1 to version 12.8.7.
• Audit systems to ensure no residual vulnerable versions are in operation.
• Monitor for any suspicious activity potentially linked to exploitation attempts.

For detailed guidance, refer to the official hotfix release note.

Access the official advisory here: SolarWinds CVE-2025-26399 Advisory.

Detect Early, Respond Fast: Real-Time Threat Visibility with SOCRadar

Identifying and responding to vulnerabilities like CVE-2025-26399 before they are exploited is critical. With SOCRadar’s Cyber Threat Intelligence module, security teams receive real-time updates and context about emerging threats, including exploitability, patch availability, and potential impact.

Vulnerability Intelligence, SOCRadar Cyber Threat Intelligence module

Combined with the Attack Surface Management (ASM) module, organizations gain continuous visibility into exposed assets and vulnerable services across their digital footprint, empowering faster prioritization and response.

Company Vulnerabilities, SOCRadar Attack Surface Management module

Don’t wait for a threat to become a breach. Leverage SOCRadar’s Vulnerability Intelligence capabilities to stay proactive against cyber threats.