You are currently viewing CVE-2025-26399: SolarWinds Patches Critical Remote Code Execution Vulnerability

SolarWinds has issued hotfixes to patch a critical Web Help Desk security vulnerability that could enable remote attackers to execute arbitrary commands on impacted systems.

Vulnerability Details

The vulnerability, tracked as CVE-2025-26399 with a CVSS score of 9.8, stems from the insecure deserialization of untrusted data within the AjaxProxy module. Specifically, the application fails to properly validate serialized Java objects, allowing attackers to craft malicious payloads that, when processed, can lead to arbitrary code execution. This lack of validation enables attackers to bypass existing patches and gain control over the affected server. CVE-2025-26399 also serves as a patch bypass for previous vulnerabilities (CVE-2024-28986 and CVE-2024-28988), meaning systems patched for earlier flaws may remain at risk if not updated with the latest hotfix. The vulnerability affects SolarWinds Web Help Desk 12.8.7 and all previous versions.

Exploitation Method

  • The issue exists in the AjaxProxy module of SolarWinds Web Help Desk (WHD). The application fails to properly validate serialized Java objects submitted by users, an issue known as insecure deserialization.
  • An attacker can create a malicious serialized Java object designed to execute arbitrary code when processed by WHD.
  • The attacker sends the crafted object to the vulnerable WHD server. No authentication is required, so the attack can be carried out remotely.
  • WHD deserializes the malicious object without proper validation, triggering remote code execution (RCE) on the server.
  • The attacker achieves SYSTEM-level access, allowing them to run arbitrary commands, access sensitive data, and potentially move laterally across the network.

Impact

  • Unauthorized Remote Access: Attackers can exploit the vulnerability without authentication, remotely targeting servers running SolarWinds Web Help Desk (WHD).
  • Remote Code Execution (RCE): The flaw allows attackers to execute arbitrary code on the affected server by sending malicious serialized payloads to the AjaxProxy module.
  • Full System Compromise: Successful exploitation provides attackers SYSTEM-level access, granting full control over the server, including the ability to run commands, modify files, and access sensitive data.
  • Patch Bypass Risk: CVE-2025-26399 can bypass patches applied for previous related vulnerabilities (CVE-2024-28986 and CVE-2024-28988). Systems patched for earlier flaws may still be at risk if not updated with the latest hotfix.
  • Potential Network Impact: With SYSTEM-level access, attackers could pivot to other connected systems, escalating the compromise beyond the WHD server. This could result in data exfiltration, service disruption, or further malware deployment.

Tactics, Techniques, and Procedures (TTPs)

  • TA0001 – Initial Access: Exploiting the vulnerability to gain initial entry into the target system.
  • TA0002 – Execution: Executing arbitrary commands on the compromised system.
  • TA0004 – Privilege Escalation: Gaining higher-level permissions on the system.
  • TA0008 – Lateral Movement: Moving to other systems within the network.
  • T1210 – Exploitation of Remote Services: Exploiting remotely accessible services to execute malicious code.
  • T1068 – Exploitation for Privilege Escalation: Using exploits to gain elevated privileges.

Mitigation & Recommendations

SolarWinds has released Web Help Desk 12.8.7 Hotfix 1 to address CVE-2025-26399. Users are strongly advised to apply this hotfix immediately. The hotfix includes updated JAR files and introduces a new HikariCP.jar component.

To apply the hotfix, follow these steps:

  1. Stop Web Help Desk.
  2. Navigate to: <WebHelpDesk>/bin/webapps/helpdesk/WEB-INF/lib/ (substitute <WebHelpDesk> depending on OS).
  3. Back up and then delete: c3p0.jar.
  4. Back up (to a separate directory): whd-core.jarwhd-web.jarwhd-persistence.jar.
  5. Copy the hotfix-supplied JARs into the same /lib directory, overwriting the originals: whd-core.jarwhd-web.jarwhd-persistence.jar, plus add HikariCP.jar.
  6. Restart Web Help Desk.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.