CVE-2025-26399
Published: 23 September 2025
Summary
CVE-2025-26399 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Solarwinds Web Help Desk. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
SolarWinds Web Help Desk contains an unauthenticated AjaxProxy deserialization remote code execution vulnerability tracked as CVE-2025-26399. The flaw stems from improper handling of serialized data under CWE-502 and affects the web application component that processes AjaxProxy requests. It carries a CVSS 3.1 score of 9.8 and is explicitly described as a patch bypass for the earlier issues CVE-2024-28988 and CVE-2024-28986.
An attacker with no credentials or user interaction can send a crafted request over the network to trigger deserialization and execute arbitrary commands on the underlying host. Successful exploitation grants full control over the affected system, including the ability to read, modify, or delete data and to pivot further within the environment.
SolarWinds has released hotfix 1 for version 12.8.7, documented in the corresponding release notes and security advisory, to address the issue. CISA lists the vulnerability in its Known Exploited Vulnerabilities catalog, indicating that federal agencies must apply mitigations according to the published timelines.
Active exploitation of the vulnerability has been observed in the wild, as detailed in reporting from Microsoft. The EPSS score reached a peak of 0.3422 with a current value of 0.3053, reflecting sustained interest following disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-30842
Vulnerability details
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988,…
more
which in turn is a patch bypass of CVE-2024-28986.
- CWE(s)
- KEV Date Added
- 09 March 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE in public-facing SolarWinds Web Help Desk via unsafe deserialization enables T1190 (Exploit Public-Facing Application) as the primary initial access vector.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching of known flaws like CVE-2025-26399, including the recommended SolarWinds Web Help Desk 12.8.7 Hotfix 1 to remediate the deserialization RCE.
Vulnerability scanning identifies unpatched SolarWinds Web Help Desk instances vulnerable to this unauthenticated deserialization RCE.
Information input validation helps block malicious deserialization payloads targeting the AjaxProxy component before they reach vulnerable code.