SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
An unauthenticated attacker can send a specially crafted request to the AjaxProxy endpoint of the Web Help Desk application. This endpoint deserializes untrusted input data (CWE-502), allowing for injection of a malicious object and execution of arbitrary system commands on the machine hosting the application. The vulnerability constitutes a bypass of the patch for CVE-2024-28988, which itself was a bypass of the patch for CVE-2024-28986, indicating recurring issues with eliminating the root class of this error in this product.
An attacker can remotely execute arbitrary commands with the privileges of the application process on the server hosting SolarWinds Web Help Desk, which may lead to complete system compromise, data theft, and further lateral movement in the network.
SolarWinds Web Help Desk must be immediately updated to version 12.8.7 Hotfix 1 in accordance with the official release notes from the vendor. Until the patch is deployed, it is recommended to restrict network access to the Web Help Desk interface exclusively to trusted IP addresses.
SolarWinds Web Help Desk — versions indicated in vendor references; fix available in WHD 12.8.7 Hotfix 1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSolarwinds Web Help Desk
APPSolarwinds12.8.7≤ 12.8.6
CISA KEV — detailsi
- Vendori
- SolarWinds
- Producti
- Web Help Desk
- Added to KEVi
- March 9, 2026
- Remediation deadline (US Federal)i
- March 12, 2026(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.
Related vulnerabilities
RCE przez deserializację w SolarWinds Web Help Desk — bez uwierzytelnienia
SolarWinds Web Help Desk – hardcoded credential umożliwia zdalny dostęp
RCE przez Java Deserialization w SolarWinds Web Help Desk
SolarWinds Web Help Desk — pominięcie uwierzytelnienia (Auth Bypass)
SolarWinds Web Help Desk — zdalne wykonanie kodu przez niebezpieczną deserializację