SolarWinds Web Help Desk Faces Third Critical RCE Vulnerability: CVE-2025-26399

SolarWinds Web Help Desk (WHD) users have faced a relentless series of security challenges, with the latest being CVE-2025-26399—a critical vulnerability that exposes organizations to remote code execution (RCE) attacks. This flaw, rooted in unsafe deserialization within the AjaxProxy component, allows unauthenticated attackers to run arbitrary commands on affected servers. What makes this incident particularly striking is its place in a chain of patch bypasses: CVE-2025-26399 is a workaround for CVE-2024-28988, which itself was a bypass of CVE-2024-28986. This cycle underscores the persistent difficulties in securing complex IT support platforms, especially as attackers become more adept at exploiting serialization flaws (BleepingComputer).

The stakes are high. SolarWinds WHD is widely used for IT support, asset management, and compliance, making it a prime target for cybercriminals. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) previously flagged related vulnerabilities as actively exploited, and while there are no confirmed attacks leveraging CVE-2025-26399 yet, the risk remains significant. This latest patch—SolarWinds’ third attempt to close the RCE loophole—highlights the ongoing cat-and-mouse game between software vendors and threat actors, and the critical importance of timely patching and robust security practices (BleepingComputer).

The Vulnerability: CVE-2025-26399

Overview of CVE-2025-26399

CVE-2025-26399 is a critical security vulnerability affecting SolarWinds Web Help Desk (WHD), specifically version 12.8.7. This vulnerability is characterized by unsafe deserialization handling within the AjaxProxy component. The flaw allows an unauthenticated attacker to execute arbitrary commands on the host machine, posing significant security risks to organizations using the affected software. The vulnerability is a patch bypass of CVE-2024-28988, which itself was a bypass of CVE-2024-28986, highlighting a recurring issue in the software’s security measures (BleepingComputer).

Technical Details and Exploitation

The vulnerability arises from improper handling of serialized data within the AjaxProxy component. Serialization is a process where data structures or object states are converted into a format that can be stored or transmitted and later reconstructed. Insecure deserialization occurs when an application deserializes untrusted data, potentially leading to remote code execution (RCE) if an attacker can manipulate the serialized data to execute arbitrary code.

In the case of CVE-2025-26399, the vulnerability allows attackers to craft malicious serialized objects that, when deserialized by the vulnerable component, can execute commands on the server without requiring authentication. This makes it particularly dangerous, as attackers do not need valid credentials to exploit the flaw (BleepingComputer).

Impact and Risk Assessment

The impact of CVE-2025-26399 is significant due to its potential to allow unauthorized access and control over affected systems. Organizations using SolarWinds WHD for IT support request tracking, workflow automation, asset management, and compliance assurance are at risk. The vulnerability could be leveraged by attackers to disrupt operations, exfiltrate sensitive data, or deploy additional malicious payloads.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) had previously marked the original SolarWinds flaw as being actively exploited in attacks, adding it to the Known Exploited Vulnerabilities (KEV) catalog. Although there are currently no public reports of CVE-2025-26399 being exploited in the wild, the potential for exploitation remains high, given the nature of the vulnerability and its predecessors (BleepingComputer).

Mitigation and Remediation

SolarWinds has released a hotfix to address CVE-2025-26399, which requires users to update to Web Help Desk version 12.8.7. The update aims to rectify the insecure deserialization issue and prevent unauthorized command execution. Users are advised to apply the security update promptly to mitigate the risk of exploitation.

To apply the update, users should follow the instructions provided by SolarWinds, ensuring that all necessary steps are taken to secure their systems. This includes verifying the integrity of the update and testing it in a controlled environment before deploying it to production systems. Additionally, organizations should review their security policies and practices to ensure they are prepared to respond to potential threats (BleepingComputer).

Historical Context and Lessons Learned

The recurrence of vulnerabilities in SolarWinds WHD, as evidenced by the progression from CVE-2024-28986 to CVE-2025-26399, underscores the importance of robust security practices in software development and maintenance. Each vulnerability in the series represents a patch bypass, indicating that previous fixes were insufficient to address the underlying security issues.

This pattern highlights the need for comprehensive security assessments and testing, particularly in critical components like serialization and deserialization processes. Organizations should prioritize secure coding practices, regular security audits, and timely patch management to reduce the risk of similar vulnerabilities in the future.

Furthermore, the case of CVE-2025-26399 illustrates the importance of collaboration between security researchers and vendors. The vulnerability was reported to SolarWinds through the Trend Micro Zero Day Initiative (ZDI), demonstrating the value of coordinated vulnerability disclosure in enhancing software security and protecting users from potential threats (BleepingComputer).

Final Thoughts

The saga of CVE-2025-26399 is a vivid reminder that cybersecurity is never a one-and-done affair. Each new patch for SolarWinds WHD has been met with fresh attempts by attackers to find workarounds, illustrating the need for continuous vigilance and layered defenses. Organizations relying on platforms like WHD must prioritize not just patching, but also proactive security assessments and a culture of rapid response. The collaborative efforts between security researchers and vendors, as seen in the disclosure of this vulnerability through the Trend Micro Zero Day Initiative, are crucial for staying ahead of evolving threats (BleepingComputer).

As emerging technologies like AI and IoT expand the attack surface, serialization vulnerabilities and similar flaws will likely remain a favorite target for cybercriminals. The SolarWinds case serves as both a cautionary tale and a call to action: robust, ongoing security practices are essential to protect critical infrastructure and sensitive data in an increasingly interconnected world.

References

• SolarWinds releases third patch to fix Web Help Desk RCE bug. (2025). BleepingComputer. https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-patch-to-fix-web-help-desk-rce-bug/