What is CVE-2025-26399?

A critical remote code execution vulnerability in SolarWinds Web Help Desk could allow attackers to execute commands on affected systems. Organizations must prioritize immediate patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2025-26399?

CVE-2025-26399 has a severity rating of CRITICAL with a CVSS base score of 9.8.

Is CVE-2025-26399 in CISA KEV?

Yes. CVE-2025-26399 is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. Organizations should prioritize remediation.

CVE-2025-26399 | Critical Vulnerability in SolarWinds Web Help Desk

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. With a CVSS score of 9.8, this vulnerability is classified as critical, necessitating immediate attention from organizations using the affected software.

Risk to organizations includes potential unauthorized access and control over the impacted systems, leading to severe consequences such as data breaches or system compromise. Given the critical nature of this vulnerability and its exploitation status, organizations should prioritize patching immediately.

The vulnerability was discovered and disclosed in September 2025, with a known exploitation status confirmed in the KEV catalog. This highlights the urgency for defenders to act swiftly to mitigate the risk posed by this vulnerability.

Organizations are recommended to apply the necessary patches and updates provided by SolarWinds to secure their environments against this vulnerability.

Vulnerability Details

The vulnerability allows attackers to exploit the deserialization of untrusted data within the AjaxProxy component of SolarWinds Web Help Desk. The CVSS score of 9.8 indicates an extremely severe risk, with high impacts on confidentiality, integrity, and availability. Affected versions include all versions of the Web Help Desk prior to the vendor's patch, specifically versions up to 12.8.6 and 12.8.7.

Technical Analysis

The root cause of this vulnerability lies in the improper handling of deserialization processes, which can lead to arbitrary code execution. The attack vector for this vulnerability is network-based, meaning that it can be exploited remotely with no prior authentication required. The attack complexity is low, and no user interaction is needed, making it particularly dangerous for organizations. The impact on confidentiality, integrity, and availability is high, with potential for complete system takeover.

Risk & Impact Analysis

Real-world deployment of the SolarWinds Web Help Desk product exposes organizations to significant risk. The vulnerability allows attackers to execute arbitrary commands remotely, which can lead to unauthorized data access or manipulation. Given the critical nature of this vulnerability, the blast radius could potentially affect not only the vulnerable system but also connected networks and resources.

Organizations should address this vulnerability in their priority patch cycle to ensure the safety and integrity of their systems. Immediate action is necessary to prevent exploitation.

Exploitation Status

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	Yes
Ransomware Use	No

Affected Versions

All versions prior to vendor patch, specifically versions 12.8.6 and 12.8.7 of SolarWinds Web Help Desk are affected. Organizations should verify their installed versions against the vendor's recommendations.

Mitigation & Remediation

Organizations should apply the patches provided by SolarWinds as indicated in their advisory. For detailed remediation steps, consult the vendor's guidance and follow any applicable security directives.

Penetration testing can also be considered to validate the effectiveness of the applied patches.

Detection Guidance

Monitoring logs for unusual AjaxProxy requests and unexpected command executions can help detect potential exploitation attempts. Organizations should implement behavioral anomaly detection to identify unusual system activity.

AppSecure Threat Intelligence Insight

The long-term significance of this vulnerability highlights the importance of secure deserialization practices. Security teams should focus on understanding similar vulnerabilities to enhance their defensive strategies. This incident serves as a reminder of the potential for patch bypass vulnerabilities and the need for continuous monitoring.

Penetration testing methodology should be revisited to include testing for deserialization vulnerabilities as part of routine assessments.

Vulnerability management programs must evolve to address new and emerging threats effectively.

API penetration testing should be incorporated to detect similar vulnerabilities across other products.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2025-26399: Critical Vulnerability in SolarWinds Web Help Desk