Critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk affecting the AjaxProxy component. This is a bypass of previous patches and allows direct exploitation over the internet without authentication.
Data Source: CIRCL
Confidence: HIGH
Exploitation Method: DIRECT_NETWORK
CVE Published: 2025-09-23
Added to CISA KEV: 2026-03-09 167 DAYS BETWEEN CVE AND KEV
Description. SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.Reference Type. SolarWinds: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399 Types: Patch, Vendor Advisory.
"This activity reflects a common but high-impact pattern: a single exposed application can provide a path to full domain compromise when vulnerabilities are unpatched or insufficiently monitored," the Windows maker said. "In this intrusion, attackers relied heavily on living-off-the-land techniques, legitimate administrative tools, and low-noise persistence mechanisms. These tradecraft choices reinforce the importance of defense in depth, timely patching of internet-facing services, and behavior-based detection across identity, endpoint, and network layers."
Huntress has observed active exploitation of a deserialization and remote code execution against the SolarWinds Web Help Desk software (CVE-2025-26399).On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control. This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD.
The vulnerability, tracked as CVE-2025-26399 (CVSS score: 9.8), has been described as an instance of deserialization of untrusted data that could result in code execution. It affects SolarWinds Web Help Desk 12.8.7 and all previous versions. "SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine," SolarWinds said in an advisory released on September 17, 2025.
Further investigations are in-progress to confirm the actual vulnerabilities exploited, such as CVE-2025-40551 (critical untrusted data deserialization) and CVE-2025-40536 (security control bypass) and CVE-2025-26399. Successful exploitation allowed the attackers to achieve unauthenticated remote code execution on internet-facing deployments, allowing an external attacker to execute arbitrary commands within the WHD application context.