SolarWinds fixed a critical RCE flaw in its Web Help Desk software

SolarWinds fixed a critical flaw in its Web Help Desk software that could allow attackers to execute arbitrary commands on vulnerable systems.

SolarWinds has released hot fixes to address a critical flaw, tracked as CVE-2025-26399 (CVSS score: 9.8), affecting its Web Help Desk software. An attacker could exploit the flaw to execute arbitrary commands on susceptible systems.

“SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.” reads the advisory. “This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.”

The vulnerability affects SolarWinds Web Help Desk 12.8.7 and all previous versions.

An anonymous researcher working with the Trend Micro Zero Day Initiative reported the flaw.

The new SolarWinds Web Help Desk flaw allows unauthenticated RCE via AjaxProxy deserialization, bypassing fixes for CVE-2024-28988 and CVE-2024-28986.

Deserialization of Untrusted Data is a high-severity vulnerability where an application reconstructs objects from data received from untrusted sources, without verifying integrity or validity. Attackers can craft malicious serialized objects that, when deserialized, abuse the logic of the application to execute code, access sensitive data, escalate privileges, or manipulate system processes. 

Currently, there is no evidence that the vulnerability is being actively exploited in attacks in the wild.

The company recommends users to install hot fixes as soon as possible

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)