Vulnerability Security Patch Release

SolarWinds Web Help Desk repeat-bypass RCE and hotfix response

Updated 23.09.2025 16:41

Case score 60

Case score 60 Members 2 Latest activity 23.09.2025 16:41

Patch available CVSS: 9.8 Critical No known exploitation

Members 2 First seen 23.09.2025 15:46 Last seen 23.09.2025 16:41 Updated 23.09.2025 16:41

Overview

**SolarWinds Web Help Desk** is dealing with **CVE-2025-26399**, an unauthenticated AjaxProxy deserialization flaw that can let an attacker execute commands on the host. SolarWinds released hot fixes and told operators to move to **Web Help Desk 12.8.7 HF1**, because the issue is a patch bypass of **CVE-2024-28988** and **CVE-2024-28986**. The response centers on installing the hotfix, replacing the affected JAR files, and restarting the service. Available evidence does not show exploitation in the wild, but exposed deployments still need to treat remediation as urgent.

Key facts

**CVE-2025-26399** in **SolarWinds Web Help Desk** is an unauthenticated AjaxProxy deserialization flaw that can lead to remote code execution.
SolarWinds issued hot fixes and directed operators to **Web Help Desk 12.8.7 HF1**.
The flaw is a patch bypass of **CVE-2024-28988**, which itself bypassed **CVE-2024-28986**.
Available evidence says there is no public exploitation report yet.
The remediation process includes replacing specific JAR files, adding **HikariCP.jar**, and restarting Web Help Desk.
Reach is unquantified in the available evidence.

Signals

8 derived

Exploitation

CVSS 9.8 Critical Exploitation No known exploitation

Affected impact

Affected Web Help Desk 12.8.7

CVEs/products

CVE CVE CVE

Remediation

Urgency High Remediation Patch available

Member happenings

2 related

Vulnerability SolarWinds Web Help Desk unsafe deserialization RCE (CVE-2025-26399)

Updated 23.09.2025 16:41 Lead Contribution 60

Exploitation No Known Exploitation Exploit No Known Public Exploit Data Type Passwords Patch Patch Available

**SolarWinds Web Help Desk 12.8.7** is affected by **CVE-2025-26399**, an **unsafe-deserialization** flaw in the **AjaxProxy** component that can enable **unauthenticated command execution** on the host machine. The issue is **critical** because it can be triggered without credentials and can lead to **RCE** on vulnerable servers. SolarWinds has already issued a **hotfix** to close the vulnerability.

View happening

Security Patch Release SolarWinds security patch release for CVE-2025-26399

Updated 23.09.2025 15:46 Context

Exploitation No Known Exploitation CVSS 9.8 Critical Urgency High Patch Patch Available

SolarWinds released **hot fixes** for **Web Help Desk** to close **CVE-2025-26399**, a **critical remote code execution** flaw that could let attackers run commands on affected servers. The issue affects **Web Help Desk 12.8.7 and all earlier versions**. SolarWinds said the bug is an **unauthenticated AjaxProxy deserialization** problem, and advised upgrading to **12.8.7 HF1**. There is **no evidence of exploitation in the wild** so far.

View happening