SolarWinds has released an urgent hotfix to address a critical security vulnerability in its Web Help Desk software. The flaw, tracked as CVE-2025-26399 with a CVSS severity score of 9.8, could allow attackers to execute arbitrary commands on affected systems without authentication.
The vulnerability impacts SolarWinds Web Help Desk 12.8.7 and all earlier versions. Security experts have warned that, if left unpatched, this flaw could open doors for hackers to take full control of targeted servers, making it a serious risk for organizations that rely on SolarWinds for IT service management.
CVE-2025-26399 is classified as a deserialization of untrusted data vulnerability. In simple terms, the flaw occurs because the software does not properly validate user-supplied input when handling certain data. This weakness could allow an attacker to inject malicious code through the vulnerable AjaxProxy component.
Once exploited, the attacker could execute commands directly on the host machine with SYSTEM-level privileges, which means complete control over the affected server. Since authentication is not required, this bug is especially dangerous — it can be exploited remotely by anyone who discovers an unpatched instance.
Interestingly, CVE-2025-26399 is not an entirely new bug. SolarWinds has confirmed that it is actually a patch bypass for two earlier vulnerabilities:
CVE-2024-28986 – originally discovered in 2024 and rated critical (CVSS 9.8).
CVE-2024-28988 – a later patch bypass of CVE-2024-28986.
Both of these flaws were tied to the same AjaxProxy deserialization weakness. While SolarWinds released patches for them, attackers found ways around those fixes, which eventually led to the discovery of CVE-2025-26399.
This cycle of patch, bypass, and re-patch highlights the difficulty of addressing complex software flaws fully and underscores the importance of rigorous testing in security updates.
The latest vulnerability was discovered by an anonymous security researcher working with the Trend Micro Zero Day Initiative (ZDI), a program that identifies and responsibly reports software flaws.
According to the ZDI advisory, the flaw exists because of insufficient input validation, making it possible for attackers to deserialize untrusted data. By exploiting this, malicious actors can gain unauthenticated remote code execution — one of the most severe categories of vulnerabilities.
As of now, there are no confirmed reports of active exploitation of CVE-2025-26399 in the wild. However, security experts are warning organizations not to ignore the issue.
It’s worth noting that the original flaw, CVE-2024-28986, was quickly added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog in 2024 after proof-of-concept exploits appeared. This shows that attackers are likely to weaponize these kinds of vulnerabilities soon after disclosure.
Given this history, many experts believe it is only a matter of time before attackers attempt to exploit CVE-2025-26399 as well.
In its official advisory, released on September 17, 2025, SolarWinds urged all customers to immediately update to Web Help Desk 12.8.7 HF1. This hotfix directly addresses the vulnerability and provides protection against potential exploitation.
SolarWinds emphasized that organizations should not delay applying the update, even if they have not seen suspicious activity yet. Keeping critical IT management tools like Web Help Desk secure is essential, since these platforms often integrate with sensitive systems and data.
The name SolarWinds carries significant weight in cybersecurity discussions, largely due to the 2020 SolarWinds supply chain attack. That attack, attributed to Russia’s Foreign Intelligence Service (SVR), compromised updates for the company’s Orion software and provided attackers with backdoor access into multiple U.S. government agencies and global enterprises.
Since then, every SolarWinds vulnerability has received heightened scrutiny. As Ryan Dewhurst, head of proactive threat intelligence at watchTowr, pointed out:
“In 2024, an unauthenticated deserialization bug (CVE-2024-28986) was patched, then patched again (CVE-2024-28988). And now, with CVE-2025-26399, we are seeing yet another patch to fix the same core flaw. The original bug was actively exploited, so while we haven’t yet seen attacks targeting this new bypass, history suggests it may only be a matter of time.”
For businesses and IT teams, the key takeaway is simple: patch immediately. Running outdated or unpatched versions of SolarWinds Web Help Desk leaves systems open to severe risks, including:
Remote takeover of servers without authentication.
Execution of malicious code that could lead to ransomware or spyware infections.
Loss of sensitive IT service data or exposure of internal help desk records.
Potential compliance violations if sensitive data is compromised.
In addition to applying the hotfix, organizations should:
Monitor logs and system activity for suspicious behavior.
Review network access controls to limit exposure of help desk software to the internet.
Implement intrusion detection tools that can spot unusual code execution attempts.
Regularly test security patches to confirm they close all identified loopholes.
The release of the SolarWinds CVE-2025-26399 hotfix is a critical reminder of the evolving nature of cybersecurity threats. Even well-known companies like SolarWinds face repeated challenges when trying to secure complex applications.
While this vulnerability is not yet confirmed to be exploited in the wild, its connection to past flaws that were actively weaponized means the risk is high. Organizations relying on SolarWinds Web Help Desk should act without delay by upgrading to version 12.8.7 HF1 and adopting proactive monitoring measures.
Pingback: Cisco Warns of Active SNMP Vulnerability CVE-2025-20352 in IOS XE Software