CVE-2025-26399
Published: 23 September 2025
Summary
CVE-2025-26399 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Solarwinds Web Help Desk. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 3.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely patching of known flaws like CVE-2025-26399, including the recommended SolarWinds Web Help Desk 12.8.7 Hotfix 1 to remediate the deserialization RCE.
Vulnerability scanning identifies unpatched SolarWinds Web Help Desk instances vulnerable to this unauthenticated deserialization RCE.
Information input validation helps block malicious deserialization payloads targeting the AjaxProxy component before they reach vulnerable code.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated RCE in public-facing SolarWinds Web Help Desk via unsafe deserialization enables T1190 (Exploit Public-Facing Application) as the primary initial access vector.
NVD Description
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988,…
more
which in turn is a patch bypass of CVE-2024-28986.
Deeper analysisAI
CVE-2025-26399 is an unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk, stemming from unsafe deserialization in the AjaxProxy component. If exploited, it allows attackers to execute arbitrary commands on the host machine. This issue serves as a patch bypass for CVE-2024-28988, which itself bypasses the patch for CVE-2024-28986. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-502 (Deserialization of Untrusted Data).
Any unauthenticated attacker with network access can exploit this vulnerability due to its low attack complexity and lack of prerequisites like privileges or user interaction. Successful exploitation enables remote code execution, resulting in high impacts across confidentiality, integrity, and availability, potentially leading to full compromise of the affected host.
SolarWinds advises applying Web Help Desk version 12.8.7 Hotfix 1 as the primary mitigation, with full details in their security advisory and release notes. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-26399 to its Known Exploited Vulnerabilities Catalog.
Microsoft has documented active exploitation of SolarWinds Web Help Desk vulnerabilities, including this CVE, highlighting real-world threats to affected environments.
Details
- CWE(s)
- KEV Date Added
- 09 March 2026