SolarWinds disclosed a **critical remote code execution (RCE) vulnerability (CVE-2025-26399)** in its **Web Help Desk (WHD) 12.8.7 and prior versions**, stemming from unsafe deserialization in the **AjaxProxy component**. This flaw, a **patch bypass** of two earlier vulnerabilities (CVE-2024-28986 and CVE-2024-28988), allows **unauthenticated attackers** to execute arbitrary commands on the host system. While no active exploitation has been reported yet, the original flaw (CVE-2024-28986) was previously **added to CISA’s Known Exploited Vulnerabilities (KEV) catalog** due to real-world attacks. The vulnerability affects **medium-to-large organizations** relying on WHD for IT support, workflow automation, and compliance. A hotfix has been released, requiring manual intervention (replacing JAR files and adding HikariCP.jar), but unpatched systems remain at risk of **full system compromise**, potentially enabling lateral movement within corporate networks. Given SolarWinds’ history with supply-chain attacks (e.g., the 2020 breach), this vulnerability poses a **high-risk vector for cybercriminals or state-sponsored actors** to infiltrate enterprise environments.
TPRM report: https://www.rankiteo.com/company/solarwinds
"id": "sol5792457092325",
"linkid": "solarwinds",
"type": "Vulnerability",
"date": "6/2020",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Medium-to-large organizations '
'using Web Help Desk (WHD) '
'12.8.7 or earlier',
'industry': 'IT Management & Monitoring',
'location': 'USA',
'name': 'SolarWinds',
'size': 'Large',
'type': 'Software Vendor'}],
'attack_vector': ['Network', 'Unauthenticated Access', 'Deserialization'],
'customer_advisories': ['Security bulletin issued with remediation steps'],
'description': 'SolarWinds has released a hotfix for a critical vulnerability '
'(CVE-2025-26399) in Web Help Desk (WHD) that allows '
'unauthenticated remote code execution (RCE). The flaw is a '
'patch bypass of two prior vulnerabilities (CVE-2024-28988 and '
'CVE-2024-28986) and stems from unsafe deserialization in the '
'AjaxProxy component. Successful exploitation permits '
'attackers to execute commands on the host machine. The issue '
'affects WHD version 12.8.7 and earlier. SolarWinds has '
'provided a hotfix via its Customer Portal, requiring manual '
'file replacements and a service restart. CISA previously '
'added the original flaw (CVE-2024-28986) to its Known '
'Exploited Vulnerabilities (KEV) catalog in August 2024.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'recurring vulnerabilities in '
'SolarWinds products'],
'operational_impact': ['Potential unauthorized command execution '
'on host machines',
'Risk of workflow disruption in IT support '
'systems'],
'systems_affected': ['SolarWinds Web Help Desk (WHD)']},
'investigation_status': 'Ongoing (no public reports of exploitation as of '
'disclosure)',
'lessons_learned': ['Recurring patch bypasses highlight the need for robust '
'vulnerability management and secure coding practices.',
'Manual hotfix processes may delay remediation for '
'organizations lacking dedicated IT resources.',
'Proactive coordination with third-party researchers '
'(e.g., ZDI) can accelerate vulnerability disclosure and '
'patching.'],
'post_incident_analysis': {'corrective_actions': ['Hotfix release with '
'updated JAR files '
'(including `HikariCP.jar` '
'replacement for '
'`c3p0.jar`)',
'Enhanced secure coding '
'guidelines for '
'deserialization',
'Collaboration with ZDI for '
'vulnerability reporting'],
'root_causes': ['Insecure deserialization in '
'AjaxProxy component',
'Inadequate patching for prior '
'vulnerabilities (CVE-2024-28988, '
'CVE-2024-28986)',
'Lack of input validation for '
'serialized data']},
'recommendations': ['Apply the SolarWinds hotfix for CVE-2025-26399 '
'immediately.',
'Monitor systems for signs of exploitation (e.g., '
'unauthorized command execution).',
'Review and harden deserialization practices in custom '
'applications.',
'Prioritize patching for internet-facing SolarWinds WHD '
'instances.',
'Consider network segmentation to limit exposure of help '
'desk systems.'],
'references': [{'source': 'SolarWinds Security Bulletin'},
{'source': 'Trend Micro Zero Day Initiative (ZDI)'},
{'source': 'U.S. CISA KEV Catalog (CVE-2024-28986)',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'source': 'SolarWinds WHD Upgrade Instructions'}],
'regulatory_compliance': {'regulatory_notifications': ['U.S. CISA added '
'original flaw '
'(CVE-2024-28986) to '
'Known Exploited '
'Vulnerabilities (KEV) '
'catalog (August '
'2024)']},
'response': {'communication_strategy': ['Security bulletin published',
'Upgrade instructions provided'],
'containment_measures': ['Hotfix release (manual patching '
'required)'],
'incident_response_plan_activated': True,
'recovery_measures': ['Hotfix application via SolarWinds '
'Customer Portal'],
'remediation_measures': ['Stop Web Help Desk service',
'Backup and delete `c3p0.jar`',
'Backup `whd-core.jar`, `whd-web.jar`, '
'`whd-persistence.jar`',
'Replace with hotfix-supplied JARs '
'(`whd-core.jar`, `whd-web.jar`, '
'`whd-persistence.jar`)',
'Add `HikariCP.jar`',
'Restart Web Help Desk'],
'third_party_assistance': ['Trend Micro Zero Day Initiative '
'(ZDI)']},
'stakeholder_advisories': ['SolarWinds customers advised to apply hotfix via '
'Customer Portal'],
'title': 'Critical Remote Code Execution (RCE) Vulnerability in SolarWinds '
'Web Help Desk (CVE-2025-26399)',
'type': ['Vulnerability', 'Remote Code Execution (RCE)', 'Patch Bypass'],
'vulnerability_exploited': {'affected_versions': ['12.8.7',
'12.8.3 and all prior '
'versions'],
'component': 'AjaxProxy (unsafe deserialization)',
'primary': 'CVE-2025-26399',
'related': ['CVE-2024-28988', 'CVE-2024-28986']}}