CVE-2025-26399: 
SolarWinds Web Help Desk vulnerability analysis and mitigation

SolarWinds Web Help Desk (WHD) was discovered to contain a critical vulnerability (CVE-2025-26399) that was disclosed on September 23, 2025. This vulnerability is an unauthenticated AjaxProxy deserialization remote code execution flaw that allows attackers to execute arbitrary commands on affected systems without requiring authentication. The vulnerability affects SolarWinds Web Help Desk version 12.8.7 and all previous versions. Notably, CVE-2025-26399 is a patch bypass of CVE-2024-28988, which itself was a patch bypass of CVE-2024-28986 (NVD, Arctic Wolf).

The vulnerability exists within the AjaxProxy component and stems from improper validation of user-supplied data, which can result in deserialization of untrusted data. It has been assigned a Critical severity rating with a CVSS score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The flaw is classified under CWE-502 (Deserialization of Untrusted Data) and allows attackers to execute code in the context of SYSTEM privileges (Hacker News, SolarWinds Advisory).

If successfully exploited, the vulnerability allows attackers to execute arbitrary commands on the host machine running Web Help Desk. Given WHD's role as an IT service management platform, a compromised instance could expose sensitive information and potentially lead to broader system access. The critical severity rating indicates the potential for significant impact on affected organizations (Help Net Security).

SolarWinds has released version 12.8.7 Hotfix 1 to address this vulnerability. Organizations running affected versions of Web Help Desk are strongly advised to apply this hotfix immediately. The fix involves updating several core components including whd-core.jar, whd-web.jar, and whd-persistence.jar, as well as replacing the c3p0.jar file with HikariCP.jar (SolarWinds Documentation).

Security researchers, including watchTowr's Ryan Dewhurst, have emphasized the significance of this vulnerability, particularly given SolarWinds' history with the infamous 2020 supply chain attack. The recurring nature of this vulnerability - being the third iteration of a similar flaw - has raised concerns in the cybersecurity community about the effectiveness of previous patches (Hacker News).