Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to intelligence
actively-exploited-vulnerabilitygovernment-vulnerability-cataloginternet-facing-service-vulnerabilitywidely-deployed-product-advisory

Active Exploitation of SolarWinds Web Help Desk Insecure Deserialization (CVE-2025-26399)

Updated 3d agoFirst seen Mar 12, 20262 sources

CVE-2025-26399 is a critical insecure deserialization flaw (CWE-502) in SolarWinds Web Help Desk that enables unauthenticated remote code execution/command execution over the network. The issue resides in the product’s AjaxProxy component, where untrusted serialized data can be processed without sufficient validation, allowing an attacker to deliver a crafted payload that results in arbitrary command execution on the host running the help desk application.

Multiple reports indicate the vulnerability is actively exploited in the wild, prompting CISA to add CVE-2025-26399 to the Known Exploited Vulnerabilities (KEV) catalog. NetSPI notes the flaw was disclosed in 2025 and is described as a patch bypass related to earlier issues (CVE-2024-28988 and CVE-2024-28986), and recommends immediate remediation by upgrading to SolarWinds Web Help Desk 12.8.7 Hotfix 1 or later; if patching is delayed, organizations should restrict network exposure of the server and increase monitoring for suspicious process execution and outbound connections.

Share:
Active Exploitation of SolarWinds Web Help Desk Insecure Deserialization (CVE-2025-26399)
Stay ahead

Get ahead of threats like this

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.

EVENT TIMELINE

How this story unfolded

3 events from the most recent confirmed update back to the earliest known activity.

3 EVENTS
Mar 12, 20264mo ago

Federal remediation deadline arrives for CVE-2025-26399

CISA set March 12, 2026 as the deadline for affected federal agencies to remediate CVE-2025-26399 or discontinue use of the vulnerable product if patching was not possible. Guidance also called for monitoring for suspicious activity and restricting exposure.

Mar 9, 20264mo ago

CISA adds CVE-2025-26399 to the KEV catalog

CISA added CVE-2025-26399 to its Known Exploited Vulnerabilities catalog after determining the SolarWinds Web Help Desk flaw was being actively exploited in the wild. The addition also placed the vulnerability under BOD 22-01 remediation requirements for U.S. federal civilian executive branch agencies.

Jan 1, 20251y ago

SolarWinds patches CVE-2025-26399 in Web Help Desk 12.8.7 Hotfix 1

SolarWinds released Web Help Desk 12.8.7 Hotfix 1 as the earliest patched version addressing CVE-2025-26399, an unauthenticated remote code execution flaw in the AjaxProxy component. The issue was disclosed in 2025 and described as a bypass of fixes for CVE-2024-28988 and CVE-2024-28986.

LINKED ENTITIES

Related entities

Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.

10 LINKEDOpen in app
The operational view lives in Mallory

See the full picture, correlated to your attack surface.

This page covers what’s public. Mallory adds the parts that aren’t — which of your assets are affected, which threat actors are using it right now, which detections to deploy, and what to do next.
Exposure mapping

Map indicators from this story to your assets and identify affected systems in minutes.

Threat actor evidence

Every observed campaign, victim, and pivot linked to actors named in this story.

Associated malware

Malware, exploits, and IOCs connected to the activity described here.

Detection signatures

YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.

Scheduled alerts

Get matching new stories delivered to your team as they break — not the next morning.

AI threads

Ask questions about this story and take action on the answers.