Active Exploitation of SolarWinds Web Help Desk Insecure Deserialization (CVE-2025-26399)
CVE-2025-26399 is a critical insecure deserialization flaw (CWE-502) in SolarWinds Web Help Desk that enables unauthenticated remote code execution/command execution over the network. The issue resides in the product’s AjaxProxy component, where untrusted serialized data can be processed without sufficient validation, allowing an attacker to deliver a crafted payload that results in arbitrary command execution on the host running the help desk application.
Multiple reports indicate the vulnerability is actively exploited in the wild, prompting CISA to add CVE-2025-26399 to the Known Exploited Vulnerabilities (KEV) catalog. NetSPI notes the flaw was disclosed in 2025 and is described as a patch bypass related to earlier issues (CVE-2024-28988 and CVE-2024-28986), and recommends immediate remediation by upgrading to SolarWinds Web Help Desk 12.8.7 Hotfix 1 or later; if patching is delayed, organizations should restrict network exposure of the server and increase monitoring for suspicious process execution and outbound connections.
Timeline
Mar 12, 2026
Federal remediation deadline arrives for CVE-2025-26399
CISA set March 12, 2026 as the deadline for affected federal agencies to remediate CVE-2025-26399 or discontinue use of the vulnerable product if patching was not possible. Guidance also called for monitoring for suspicious activity and restricting exposure.
Mar 9, 2026
CISA adds CVE-2025-26399 to the KEV catalog
CISA added CVE-2025-26399 to its Known Exploited Vulnerabilities catalog after determining the SolarWinds Web Help Desk flaw was being actively exploited in the wild. The addition also placed the vulnerability under BOD 22-01 remediation requirements for U.S. federal civilian executive branch agencies.
Jan 1, 2025
SolarWinds patches CVE-2025-26399 in Web Help Desk 12.8.7 Hotfix 1
SolarWinds released Web Help Desk 12.8.7 Hotfix 1 as the earliest patched version addressing CVE-2025-26399, an unauthenticated remote code execution flaw in the AjaxProxy component. The issue was disclosed in 2025 and described as a bypass of fixes for CVE-2024-28988 and CVE-2024-28986.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
Related Stories
CISA Orders Patching of Exploited SolarWinds Web Help Desk RCE (CVE-2025-40551)
The U.S. Cybersecurity and Infrastructure Security Agency (**CISA**) added **CVE-2025-40551**—a critical (CVSS 9.8) *SolarWinds Web Help Desk (WHD)* vulnerability—to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation. The flaw is described as **deserialization of untrusted data** that can enable **unauthenticated remote code execution**, potentially allowing full compromise of affected WHD servers; the issue was reported to SolarWinds by Horizon3.ai researcher **Jimi Sebree**. CISA also issued a directive requiring U.S. federal civilian agencies to patch CVE-2025-40551 by the stated deadline, and SolarWinds released a fix in *Web Help Desk* version **2026.1**. Reporting tied the bug to a prior WHD issue (**CVE-2024-28986**) and characterized CVE-2025-40551 as part of a sequence of vulnerabilities involving bypasses of earlier fixes; CISA’s KEV update also included additional exploited flaws in **Sangoma FreePBX** (including **CVE-2019-19006** and **CVE-2025-64328**) and **GitLab** (**CVE-2021-39935**, SSRF), expanding the set of vulnerabilities agencies must remediate under KEV timelines.
1 months ago
Critical RCE and Authentication Bypass Vulnerabilities in SolarWinds Web Help Desk
SolarWinds released security updates for *Web Help Desk (WHD)* to address multiple critical vulnerabilities that could allow **unauthenticated remote attackers** to bypass authentication and achieve **remote code execution (RCE)**. The patched issues include two critical authentication bypass flaws, **CVE-2025-40552** and **CVE-2025-40554** (reported by watchTowr researcher Piotr Bazydlo), and two critical RCE flaws tied to **untrusted data deserialization**, **CVE-2025-40553** (Bazydlo) and **CVE-2025-40551** (reported by Horizon3.ai researcher Jimi Sebree), enabling remote command execution without prior access. SolarWinds also fixed a high-severity **hardcoded credentials** issue, **CVE-2025-40537**, which could enable unauthorized access to administrative functions under certain conditions. The vendor advised administrators to upgrade to **Web Help Desk 2026.1** and patch quickly, noting WHD has a history of being targeted and previously had vulnerabilities flagged as actively exploited by CISA, reinforcing the likelihood of rapid attacker interest following disclosure and patch availability.
1 months ago
CISA Flags Actively Exploited SolarWinds Web Help Desk Flaw as Metasploit Adds Exploit Modules
**CISA added multiple vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog**, including a critical **SolarWinds Web Help Desk (WHD)** security protection bypass tracked as `CVE-2025-40536` (CVSS 9.8). The issue stems from flawed CSRF-check logic that relies on a whitelist of query parameters, which can be bypassed with crafted URI parameters to reach restricted functionality without authentication; SolarWinds patched the flaw in *WHD 2026.1*. CISA set an accelerated remediation deadline for U.S. Federal Civilian Executive Branch agencies, and Microsoft separately reported an active campaign targeting SolarWinds WHD but did not confirm whether `CVE-2025-40536` was the specific vulnerability exploited. Rapid7 reported that **Metasploit added exploit module support for SolarWinds WHD vulnerabilities `CVE-2025-40536` and `CVE-2025-40551`**, enabling post-exploitation sessions running as `NT AUTHORITY\SYSTEM` when successful. This increases operational risk for unpatched environments by lowering the barrier to exploitation and reinforces the urgency of applying SolarWinds’ available fixes and validating exposure of WHD instances, particularly those reachable from untrusted networks.
1 months ago