Infographic on CVE-2025-26399: SolarWinds Web Help Desk logo with red alert icon, diagram of unauthenticated RCE via AjaxProxy deserialization, chain showing bypass of CVE-2024-28988 and CVE-2024-28986, affected versions (12.8.7 and earlier), upgrade path

SolarWinds has addressed a critical remote code execution (RCE) vulnerability in its Web Help Desk (WHD) software, designated CVE-2025-26399 with a CVSS score of 9.8. Identified by Trend Micro’s Zero Day Initiative, the flaw allows unauthenticated attackers to execute arbitrary commands via an AjaxProxy deserialization issue. This vulnerability serves as a patch bypass for CVE-2024-28988, which itself bypassed CVE-2024-28986, potentially compromising IT help desk and asset management systems used for ticketing, inventory control, and budgeting.

Infographic on CVE-2025-26399: SolarWinds Web Help Desk logo with red alert icon, diagram of unauthenticated RCE via AjaxProxy deserialization, chain showing bypass of CVE-2024-28988 and CVE-2024-28986, affected versions (12.8.7 and earlier), upgrade pathInfographic on CVE-2025-26399: SolarWinds Web Help Desk logo with red alert icon, diagram of unauthenticated RCE via AjaxProxy deserialization, chain showing bypass of CVE-2024-28988 and CVE-2024-28986, affected versions (12.8.7 and earlier), upgrade path

The issue affects SolarWinds Web Help Desk versions 12.8.7 and all prior releases, enabling remote exploitation without authentication. WHD, a web-based solution for IT departments, provides visibility into assets and streamlines change management, but this flaw exposes it to severe risks like unauthorized system access.

Infographic on CVE-2025-26399: SolarWinds Web Help Desk logo with red alert icon, diagram of unauthenticated RCE via AjaxProxy deserialization, chain showing bypass of CVE-2024-28988 and CVE-2024-28986, affected versions (12.8.7 and earlier), upgrade pathInfographic on CVE-2025-26399: SolarWinds Web Help Desk logo with red alert icon, diagram of unauthenticated RCE via AjaxProxy deserialization, chain showing bypass of CVE-2024-28988 and CVE-2024-28986, affected versions (12.8.7 and earlier), upgrade path

To mitigate, users must upgrade to version 12.8.7 HF1, which modifies key files including whd-core.jar, whd-web.jar, whd-persistence.jar, and incorporates HikariCP.jar. Installation requires stopping the WHD service, backing up files, replacing them, and restarting. Qualys customers can use QID 733223 for detection; refer to the SolarWinds Security Advisory for full details.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security