CVE-2025-26399 Overview
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability represents a patch bypass of CVE-2024-28988, which in turn was a patch bypass of CVE-2024-28986, indicating a persistent weakness in the application's deserialization handling mechanisms.
The vulnerability is particularly concerning as it requires no authentication, allowing remote attackers to gain complete control over affected systems via network-accessible exploitation. Given its inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog, this vulnerability has been actively exploited in the wild.
Critical Impact
Unauthenticated remote code execution allowing attackers to execute arbitrary commands on the host machine, potentially leading to complete system compromise. This is being actively exploited in the wild and is listed in CISA's KEV catalog.
Affected Products
- SolarWinds Web Help Desk (all versions prior to hotfix)
- SolarWinds Web Help Desk 12.8.7
- SolarWinds Web Help Desk (cpe:2.3:a:solarwinds:web_help_desk:*)
Discovery Timeline
- September 23, 2025 - CVE-2025-26399 published to NVD
- March 10, 2026 - Last updated in NVD database
Technical Details for CVE-2025-26399
Vulnerability Analysis
This insecure deserialization vulnerability (CWE-502) resides in the AjaxProxy component of SolarWinds Web Help Desk. The vulnerability allows unauthenticated remote attackers to submit maliciously crafted serialized objects to the application, which are then processed without proper validation. When the application deserializes these objects, it inadvertently executes attacker-controlled code within the context of the application server.
The fact that this vulnerability represents a bypass of two previous patches (CVE-2024-28986 and CVE-2024-28988) suggests that the underlying deserialization mechanism contains fundamental architectural weaknesses that were not fully addressed in earlier remediation efforts. Attackers can exploit this vulnerability to achieve remote code execution with the privileges of the Web Help Desk service account.
Root Cause
The root cause of CVE-2025-26399 is improper handling of serialized Java objects within the AjaxProxy endpoint. The application fails to adequately validate or sanitize incoming serialized data before deserialization, allowing attackers to inject malicious object graphs. Previous patches attempted to address this by implementing blocklists or specific gadget chain mitigations, but the underlying deserialization mechanism remained vulnerable to bypass techniques.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can remotely target the vulnerable AjaxProxy endpoint by sending specially crafted HTTP requests containing malicious serialized payloads. Upon successful exploitation, the attacker gains the ability to execute arbitrary system commands on the underlying host machine.
The vulnerability is exploited by crafting serialized Java objects that, when deserialized by the application, trigger a gadget chain resulting in command execution. The AjaxProxy endpoint processes these requests without requiring authentication, making any network-accessible Web Help Desk instance vulnerable to exploitation.
For detailed technical analysis and indicators of compromise, refer to the Microsoft Security Blog on SolarWinds and the CISA KEV listing.
Detection Methods for CVE-2025-26399
Indicators of Compromise
- Unusual HTTP POST requests to AjaxProxy endpoints containing serialized Java object signatures (e.g., aced0005 magic bytes in request body)
- Unexpected child processes spawned by the Web Help Desk service process (Tomcat/Java)
- Anomalous outbound network connections from the Web Help Desk server to unknown destinations
- Suspicious file creation or modification in web application directories
- Web server logs showing repeated requests to /helpdesk/AjaxProxy with large or binary payloads
Detection Strategies
- Deploy network intrusion detection rules to identify serialized Java objects in HTTP traffic targeting Web Help Desk endpoints
- Monitor process creation events on Web Help Desk servers for shell processes (cmd.exe, powershell.exe, /bin/sh, /bin/bash) spawned by Java processes
- Implement web application firewall (WAF) rules to detect and block deserialization attack patterns
- Review Web Help Desk access logs for anomalous request patterns to the AjaxProxy component
Monitoring Recommendations
- Enable detailed logging for the Web Help Desk application and forward logs to a SIEM for correlation and analysis
- Configure endpoint detection and response (EDR) solutions to alert on exploitation indicators including unusual Java process behavior
- Establish baseline network traffic patterns for Web Help Desk servers and alert on deviations indicating potential command-and-control activity
- Monitor for lateral movement attempts originating from Web Help Desk infrastructure
How to Mitigate CVE-2025-26399
Immediate Actions Required
- Apply the SolarWinds Web Help Desk 12.8.7 Hotfix 1 immediately as documented in the SolarWinds WHD Hotfix Release Notes
- Restrict network access to Web Help Desk instances by implementing firewall rules to limit access to trusted IP ranges only
- Review system logs on affected servers for indicators of compromise and signs of prior exploitation
- Consider temporarily taking vulnerable systems offline until patching is complete, especially if exposed to the internet
- Notify your incident response team given the active exploitation status of this vulnerability
Patch Information
SolarWinds has released a security hotfix to address CVE-2025-26399. Organizations should apply Web Help Desk version 12.8.7 Hotfix 1 or later as soon as possible. Detailed patch instructions and release notes are available from the SolarWinds Security Advisory.
Given this vulnerability's history as a patch bypass, organizations should ensure they have applied all available updates and monitor for any future security advisories from SolarWinds regarding this product.
Workarounds
- Implement network segmentation to isolate Web Help Desk servers from untrusted networks and limit lateral movement potential
- Deploy a reverse proxy or web application firewall (WAF) in front of Web Help Desk to filter malicious requests
- Disable or restrict access to the AjaxProxy endpoint if not required for business operations (test thoroughly before applying in production)
- Run Web Help Desk with minimal privileges and ensure the service account does not have administrative access to the underlying system
# Example: Restrict network access to Web Help Desk using iptables
# Allow access only from trusted management network (adjust IP range as needed)
iptables -A INPUT -p tcp --dport 8443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8443 -j DROP
# Log blocked connection attempts for monitoring
iptables -A INPUT -p tcp --dport 8443 -j LOG --log-prefix "WHD_BLOCKED: "
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
