SolarWinds Web Help Desk unsafe deserialization RCE (CVE-2025-26399)
Vulnerability
Summary
Hide ▲
Show ▼
SolarWinds Web Help Desk 12.8.7 is affected by CVE-2025-26399, an unsafe-deserialization flaw in the AjaxProxy component that can enable unauthenticated command execution on the host machine. The issue is critical because it can be triggered without credentials and can lead to RCE on vulnerable servers. SolarWinds has already issued a hotfix to close the vulnerability.
Cases
Related Happenings
CISA orders FCEB remediation deadlines for KEV vulnerabilities
Public Sector Action
First: 10.03.2026 08:17
Last: 10.03.2026 08:17
Sources 1
About this happening:
CISA ordered **FCEB agencies** to patch **SolarWinds Web Help Desk** by **March 12, 2026** and to fix the other two KEV-listed flaws by **March 23, 2026**, tightening remediation...
CISA orders FCEB remediation deadlines for KEV vulnerabilities
Public Sector ActionAbout this happening: CISA ordered **FCEB agencies** to patch **SolarWinds Web Help Desk** by **March 12, 2026** and to fix the other two KEV-listed flaws by **March 23, 2026**, tightening remediation...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
First: 09.02.2026 16:42
Last: 09.02.2026 16:42
Sources 1
About this happening:
**SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation WaveAbout this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
Latest development: 10.03.2026 08:17
CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
BeyondTrust Remote Support and Privileged Remote Access pre-auth OS command injection (CVE-2026-1731)
Vulnerability
First: 09.02.2026 10:03
Last: 09.02.2026 10:03
Sources 1
About this happening:
**CVE-2026-1731** is a **critical pre-authentication OS command injection** in **BeyondTrust Remote Support** and **Privileged Remote Access** that can let an **unauthenticated at...
BeyondTrust Remote Support and Privileged Remote Access pre-auth OS command injection (CVE-2026-1731)
VulnerabilityAbout this happening: **CVE-2026-1731** is a **critical pre-authentication OS command injection** in **BeyondTrust Remote Support** and **Privileged Remote Access** that can let an **unauthenticated at...
Latest development: 09.02.2026 15:07
BeyondTrust secured all RS/PRA cloud systems by February 2, 2026 and directed on-premises customers to manually upgrade to Remote Support 25.3.2 or later and Privileged Remote Access 25.1.1 or later if automatic updates were not enabled.
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector Action
First: 04.02.2026 07:50
Last: 04.02.2026 07:50
Sources 1
About this happening:
**CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
CISA KEV remediation deadline for SolarWinds WHD CVE-2025-40551
Public Sector ActionAbout this happening: **CISA** added **CVE-2025-40551** in **SolarWinds Web Help Desk** to the **KEV catalog** and imposed **federal remediation deadlines**, turning a newly exploited flaw into a compl...
SolarWinds Web Help Desk untrusted data deserialization RCE (CVE-2025-40551)
Vulnerability
First: 03.02.2026 21:37
Last: 03.02.2026 21:37
Sources 1
About this happening:
**SolarWinds Web Help Desk** **CVE-2025-40551** is now confirmed **actively exploited**, putting unpatched systems at risk of **remote command execution**. The flaw is an **untrus...
SolarWinds Web Help Desk untrusted data deserialization RCE (CVE-2025-40551)
VulnerabilityAbout this happening: **SolarWinds Web Help Desk** **CVE-2025-40551** is now confirmed **actively exploited**, putting unpatched systems at risk of **remote command execution**. The flaw is an **untrus...
Timeline
-
23.09.2025 16:41 1 articles · 8mo ago
SolarWinds discloses CVE-2025-26399 in Web Help Desk 12.8.7
Initial DisclosureSolarWinds disclosed CVE-2025-26399 as a critical unauthenticated remote code execution issue in Web Help Desk 12.8.7, caused by unsafe deserialization in the AjaxProxy component and described as a patch bypass of CVE-2024-28988 and CVE-2024-28986. The issue was reported through Trend Micro Zero Day Initiative (ZDI), and no public reports of active exploitation were available at publication.
Show sources
- SolarWinds releases third patch to fix Web Help Desk RCE bug — www.bleepingcomputer.com — 23.09.2025 16:41
-
23.09.2025 16:41 2 articles · 8mo ago
SolarWinds releases hotfix for Web Help Desk 12.8.7
Mitigation Patch UpdateSolarWinds released a hotfix for Web Help Desk that requires installing version 12.8.7 and replacing affected JAR files, including deleting c3p0.jar, backing up whd-core.jar, whd-web.jar, and whd-persistence.jar, then copying the hotfix-supplied JARs and adding HikariCP.jar before restarting Web Help Desk. The vendor positioned the hotfix as the remediation for CVE-2025-26399.
Show sources
- SolarWinds releases third patch to fix Web Help Desk RCE bug — www.bleepingcomputer.com — 23.09.2025 16:41
- SolarWinds releases third patch to fix Web Help Desk RCE bug — www.bleepingcomputer.com — 23.09.2025 16:41