CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2025-26399

CVSS 9.8v3.1pub. 2025-09-23upd. 2026-03-10

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

🤖 AI Analysis
How it works

An unauthenticated attacker can send a specially crafted request to the AjaxProxy endpoint of the Web Help Desk application. This endpoint deserializes untrusted input data (CWE-502), allowing for injection of a malicious object and execution of arbitrary system commands on the machine hosting the application. The vulnerability constitutes a bypass of the patch for CVE-2024-28988, which itself was a bypass of the patch for CVE-2024-28986, indicating recurring issues with eliminating the root class of this error in this product.

Impact

An attacker can remotely execute arbitrary commands with the privileges of the application process on the server hosting SolarWinds Web Help Desk, which may lead to complete system compromise, data theft, and further lateral movement in the network.

Mitigation & patch

SolarWinds Web Help Desk must be immediately updated to version 12.8.7 Hotfix 1 in accordance with the official release notes from the vendor. Until the patch is deployed, it is recommended to restrict network access to the Web Help Desk interface exclusively to trusted IP addresses.

Who is affected

SolarWinds Web Help Desk — versions indicated in vendor references; fix available in WHD 12.8.7 Hotfix 1

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Solarwinds Web Help Desk

    APP
    Solarwinds
    12.8.7≤ 12.8.6

CISA KEV — detailsi

Vendori
SolarWinds
Producti
Web Help Desk
Added to KEVi
March 9, 2026
Remediation deadline (US Federal)i
March 12, 2026(overdue)
Required action (CISA)i

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

CISA descriptioni

SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 12 marca 2026
Tags
RCEDeserialization
CWE
References

Related vulnerabilities

CVE-2025-40551CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez deserializację w SolarWinds Web Help Desk — bez uwierzytelnienia

CVE-2024-28987CRITICAL9.1⚠ KEVPL ✓ten sam produkt

SolarWinds Web Help Desk – hardcoded credential umożliwia zdalny dostęp

CVE-2024-28986CRITICAL9.8⚠ KEVPL ✓ten sam produkt

RCE przez Java Deserialization w SolarWinds Web Help Desk

CVE-2025-40552CRITICAL9.8PL ✓ten sam produkt

SolarWinds Web Help Desk — pominięcie uwierzytelnienia (Auth Bypass)

CVE-2025-40553CRITICAL9.8PL ✓ten sam produkt

SolarWinds Web Help Desk — zdalne wykonanie kodu przez niebezpieczną deserializację