Cyber Resilience

CVE-2025-26399

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 23 September 2025

Published
23 September 2025
Modified
10 March 2026
KEV Added
09 March 2026
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3053 96.8th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-26399 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Solarwinds Web Help Desk. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

SolarWinds Web Help Desk contains an unauthenticated AjaxProxy deserialization remote code execution vulnerability tracked as CVE-2025-26399. The flaw stems from improper handling of serialized data under CWE-502 and affects the web application component that processes AjaxProxy requests. It carries a CVSS 3.1 score of 9.8 and is explicitly described as a patch bypass for the earlier issues CVE-2024-28988 and CVE-2024-28986.

An attacker with no credentials or user interaction can send a crafted request over the network to trigger deserialization and execute arbitrary commands on the underlying host. Successful exploitation grants full control over the affected system, including the ability to read, modify, or delete data and to pivot further within the environment.

SolarWinds has released hotfix 1 for version 12.8.7, documented in the corresponding release notes and security advisory, to address the issue. CISA lists the vulnerability in its Known Exploited Vulnerabilities catalog, indicating that federal agencies must apply mitigations according to the published timelines.

Active exploitation of the vulnerability has been observed in the wild, as detailed in reporting from Microsoft. The EPSS score reached a peak of 0.3422 with a current value of 0.3053, reflecting sustained interest following disclosure.

EU & UK References

Vulnerability details

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988,…

more

which in turn is a patch bypass of CVE-2024-28986.

CWE(s)
KEV Date Added
09 March 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated RCE in public-facing SolarWinds Web Help Desk via unsafe deserialization enables T1190 (Exploit Public-Facing Application) as the primary initial access vector.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-40551Same product: Solarwinds Web Help Deskboth on KEV
CVE-2025-40536Same product: Solarwinds Web Help Deskboth on KEV
CVE-2025-40553Same product: Solarwinds Web Help Desk
CVE-2024-28988Same product: Solarwinds Web Help Desk
CVE-2025-40554Same product: Solarwinds Web Help Desk
CVE-2025-40552Same product: Solarwinds Web Help Desk
CVE-2025-40537Same product: Solarwinds Web Help Desk
CVE-2026-28299Same product: Solarwinds Web Help Desk
CVE-2025-40539Same product class: network monitoring / SIEM
CVE-2025-40540Same product class: network monitoring / SIEM

Affected Assets

solarwinds
web help desk
12.8.7 · ≤ 12.8.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching of known flaws like CVE-2025-26399, including the recommended SolarWinds Web Help Desk 12.8.7 Hotfix 1 to remediate the deserialization RCE.

detect

Vulnerability scanning identifies unpatched SolarWinds Web Help Desk instances vulnerable to this unauthenticated deserialization RCE.

prevent

Information input validation helps block malicious deserialization payloads targeting the AjaxProxy component before they reach vulnerable code.

References