CVE-2025-26399
📋 TL;DR
CVE-2025-26399 is an unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk's AjaxProxy component that allows attackers to execute arbitrary commands on affected systems. This affects organizations running vulnerable versions of SolarWinds Web Help Desk. This vulnerability represents a patch bypass for two previous vulnerabilities (CVE-2024-28988 and CVE-2024-28986).
💻 Affected Systems
- SolarWinds Web Help Desk
📦 What is this software?
Web Help Desk by Solarwinds
Web Help Desk by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary commands, install malware, steal data, pivot to other systems, and maintain persistent access.
Likely Case
Initial foothold leading to ransomware deployment, data exfiltration, or installation of backdoors for future attacks.
If Mitigated
Limited impact if proper network segmentation, EDR solutions, and least privilege principles are implemented.
🎯 Exploit Status
As a patch bypass for previously weaponized vulnerabilities (CVE-2024-28988 and CVE-2024-28986), exploitation is likely straightforward for threat actors.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.8.7 Hotfix 1
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399
Restart Required: Yes
Instructions:
1. Download SolarWinds Web Help Desk 12.8.7 Hotfix 1 from SolarWinds portal. 2. Backup current installation and database. 3. Run the installer with administrative privileges. 4. Restart the Web Help Desk service. 5. Verify successful update through the admin interface.
🔧 Temporary Workarounds
Network Access Control
allRestrict access to Web Help Desk to trusted IP addresses only
Web Application Firewall Rules
allBlock requests to AjaxProxy endpoints or monitor for deserialization attempts
🧯 If You Can't Patch
- Isolate the Web Help Desk server in a separate network segment with strict firewall rules
- Implement application control/whitelisting to prevent execution of unauthorized binaries
🔍 How to Verify
Check if Vulnerable:
Check Web Help Desk version in admin interface: Settings > About. If version is earlier than 12.8.7 Hotfix 1, system is vulnerable.Check Version:
On Windows: Check registry at HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Web Help Desk\Version. On Linux: Check /opt/SolarWinds/WebHelpDesk/version.txtVerify Fix Applied:
Verify version shows 12.8.7 Hotfix 1 or later in admin interface and test that AjaxProxy functionality still works for legitimate users.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /AjaxProxy endpoints
- Deserialization errors in application logs
- Suspicious process creation from Web Help Desk service
Network Indicators:
- Unusual outbound connections from Web Help Desk server
- Traffic to known malicious IPs or domains
SIEM Query:
source="web_help_desk" AND (uri_path="/AjaxProxy/*" AND status_code=200 AND bytes_out>100000) OR process_name="cmd.exe" OR process_name="powershell.exe" parent_process="java.exe"