Analysis Summary

SolarWinds has released an urgent advisory addressing a critical remote code execution (RCE) vulnerability in its Web Help Desk software, tracked as CVE-2025-26399. With a CVSS severity score of high, the flaw poses an immediate and severe risk, as it allows unauthenticated attackers to remotely execute arbitrary commands on affected systems. The vulnerability originates from the deserialization of untrusted data within the AjaxProxy component, a recurring weak point in the application’s codebase.

The issue is particularly alarming because it acts as a patch bypass for two previously fixed vulnerabilities, CVE-2024-28988 and CVE-2024-28986. This recurrence indicates a systemic weakness in how SolarWinds Web Help Desk handles serialized data, leaving the door open for attackers to exploit the same underlying flaw through new vectors. Such persistence underscores the complexity of securely addressing deserialization bugs, which are often prone to incomplete fixes and require deep architectural changes.

Discovery of this vulnerability has been credited to an anonymous researcher who responsibly disclosed the flaw. This collaboration highlights the continued importance of coordinated vulnerability disclosure in minimizing the exploitation window for critical software used by enterprises worldwide. Without timely mitigation, affected organizations could face complete system compromise, making exploitation particularly attractive to both cybercriminals and advanced persistent threat (APT) actors.

To mitigate the risk, SolarWinds has released Web Help Desk 12.8.7 Hotfix 1, which modifies several core components of the application, including whd-core.jar, whd-web.jar, and whd-persistence.jar, while also introducing the HikariCP.jar library. Administrators are strongly urged to stop the Web Help Desk service, back up existing files, replace them with the patched versions, and restart the service. SolarWinds warns that failing to apply the hotfix leaves systems exposed to complete remote takeover, making this patch a top priority for all organizations using the affected version.

Impact

• Code Execution
• Gain Access

Indicators of Compromise

CVE

• CVE-2024-28988

• CVE-2024-28986

• CVE-2025-26399

Affected Vendors

Remediation

• Apply Web Help Desk 12.8.7 Hotfix 1 immediately to address CVE-2025-26399.
• Stop the Web Help Desk service before making any changes.
• Back up the existing core files (whd-core.jar, whd-web.jar, and whd-persistence.jar) before replacement.
• Replace the old files with the updated versions provided in the hotfix package.
• Add the new HikariCP.jar file as part of the patch deployment.
• Restart the Web Help Desk service after the updates are applied.
• Verify successful installation of the hotfix and confirm system functionality.
• Continuously monitor for exploitation attempts and apply future patches promptly