🔴 CVE-2025-26399

Critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk affecting the AjaxProxy component. This is a bypass of previous patches and allows direct exploitation over the internet without authentication.

← Back to Overview
HIGH_RISK
Risk Level
9.8
CVSS Score
NETWORK
Attack Vector
Initial Access
ATT&CK Tactic
T1190 — Exploit Public-Facing Application
ATT&CK Technique
HIGH
Deployment Risk
No
Ransomware

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: DIRECT_NETWORK

CVE Published: 2025-09-23

Added to CISA KEV: 2026-03-09 167 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

🔍 Web Intelligence (Kagi · 2026-03-09)

CVE-2025-26399 is a critical remote code execution (RCE) vulnerability affecting SolarWinds Web Help Desk (WHD) software [7] [11] [16] [4] [15]. It stems from an insecure deserialization flaw within the AjaxProxy component [1] [14] [13] [6] [12] [11] [16] [4] [19]. This vulnerability is a bypass of previous fixes for CVE-2024-28988, which itself was a bypass of CVE-2024-28986 [1] [4] [20] [4] [17] [18].

Here's a breakdown of what is known about its exploitation:

  • Internet-Facing Applications/Services:
* Yes, CVE-2025-26399 affects internet-facing deployments of SolarWinds Web Help Desk [5] [2]. Successful exploitation allows an external attacker to execute arbitrary commands within the WHD application context [5] [1] [17] [16] [4].
  • Evidence of Active Exploitation in the Wild:
* Yes, there is evidence of active exploitation in the wild [3] [5] [5] [2] [10] [22] [21] [15]. Reports indicate that exploitation activity began as early as December 2025 [10], with ongoing campaigns observed in February 2026 [3] [5] [6] [12] [22] [21]. Some sources suggest that while active exploitation of CVE-2025-26399 specifically was not confirmed in September 2025, history suggests it's likely [4], and by February 2026, active exploitation was confirmed [3] [5] [5].
  • Attack Vectors and Exploitation Methods:
* The vulnerability allows for unauthenticated remote code execution [1] [14] [13] [5] [1] [11] [17] [16] [4] [19]. * Attackers exploit the deserialization flaw in the AjaxProxy component to run commands on the host machine [1] [6] [12] [16] [4]. * In observed attacks, threat actors have deployed Zoho ManageEngine and Cloudflare tunnels for persistence, and Velociraptor for command and control [3] [22] [21]. * Exploitation chains have been observed where the WHD service wrapper spawns `java.exe`, which then executes the Windows command processor (`cmd.exe`) [6] [12]. * Attackers have also been noted to use "living-off-the-land" techniques, leveraging legitimate administrative tools and low-noise persistence mechanisms [2].
  • Use in Targeted Attacks:
* While specific details about targeted attacks are not extensively detailed for CVE-2025-26399, the nature of the vulnerability and its exploitation in ongoing campaigns suggests it can be used in targeted attacks. Microsoft noted that such vulnerabilities in exposed applications can provide a path to full domain compromise [2].
  • CISA Known Exploited Vulnerabilities (KEV) Status:
* CVE-2025-26399 has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog [8] [23]. This designation indicates that CISA has confirmed active exploitation of the vulnerability in the wild [9] [24] [25].
  • Technical Details about Internet Exploitability:
* The vulnerability is an unauthenticated deserialization flaw in the AjaxProxy component of SolarWinds Web Help Desk [1] [14] [13] [6] [12] [11] [16] [4] [19]. * This allows remote attackers to execute arbitrary code on affected installations [4] [4]. * The exploitability is high due to the unauthenticated nature and the ability to run commands on the host machine [1] [1] [17] [16] [4]. * The CVSS score is critical, with a score of 9.8 [11] [4].

Sources

  1. NVD - CVE-2025-26399

    Description. SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.Reference Type. SolarWinds: https://www.solarwinds.com/trust-center/se…

  2. SolarWinds Web Help Desk Exploited for RCE in Multi-Stage Attacks on ...

    "This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," the Windows maker said. "In this intrusion, attackers relied heavily on living-off-the-land techniques,…

  3. Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)

    Huntress has observed active exploitation of a deserialization and remote code execution against the SolarWinds Web Help Desk software (CVE-2025-26399).On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidl…

  4. SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code...

    The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects SolarWinds Web Help Desk 12.8.7 and all previous versions. "SolarWinds Web Help Desk was found to be susceptible to a…

  5. Analysis of active exploitation of SolarWinds Web Help Desk

    Further investigations are in-progress to confirm the actual vulnerabilities exploited, such as CVE-2025-40551 (critical untrusted data deserialization) and CVE-2025-40536 (security control bypass) and CVE-2025-26399. Successful exploitation allowed the attackers to achieve unauthenticated remote co…

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

📄 Download JSON Data | 📡 RSS Feed