Executive Summary

CVE-2025-26399 is a critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk caused by insecure deserialization in the AjaxProxy component. This flaw allows an attacker to execute arbitrary commands on the host machine without needing to authenticate, effectively giving them control over the affected system. It is a patch bypass of previous vulnerabilities CVE-2024-28988 and CVE-2024-28986. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to remotely execute arbitrary commands on the host machine without authentication. This could lead to full system compromise, data theft, disruption of services, or further attacks within the network. Given its critical severity and high CVSS score of 9.8, exploitation could result in significant operational and security risks. [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate CVE-2025-26399, immediately install the SolarWinds Web Help Desk 12.8.7 Hotfix 1 released on September 23, 2025. The mitigation steps include: 1) Stop the Web Help Desk service; 2) Backup and delete the c3p0.jar file from the WEB-INF/lib directory; 3) Backup the existing whd-core.jar, whd-web.jar, and whd-persistence.jar files; 4) Copy the updated JAR files from the hotfix package into the WEB-INF/lib directory, including the new HikariCP.jar file; 5) Restart the Web Help Desk service. Note that the hotfix requires the base version 12.8.7 of Web Help Desk to be installed. [1]

Useful 0 Not Useful 0