Active Exploitation of SolarWinds Web Help Desk Insecure Deserialization (CVE-2025-26399)
CVE-2025-26399 is a critical insecure deserialization flaw (CWE-502) in SolarWinds Web Help Desk that enables unauthenticated remote code execution/command execution over the network. The issue resides in the product’s AjaxProxy component, where untrusted serialized data can be processed without sufficient validation, allowing an attacker to deliver a crafted payload that results in arbitrary command execution on the host running the help desk application.
Multiple reports indicate the vulnerability is actively exploited in the wild, prompting CISA to add CVE-2025-26399 to the Known Exploited Vulnerabilities (KEV) catalog. NetSPI notes the flaw was disclosed in 2025 and is described as a patch bypass related to earlier issues (CVE-2024-28988 and CVE-2024-28986), and recommends immediate remediation by upgrading to SolarWinds Web Help Desk 12.8.7 Hotfix 1 or later; if patching is delayed, organizations should restrict network exposure of the server and increase monitoring for suspicious process execution and outbound connections.

Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Federal remediation deadline arrives for CVE-2025-26399
CISA set March 12, 2026 as the deadline for affected federal agencies to remediate CVE-2025-26399 or discontinue use of the vulnerable product if patching was not possible. Guidance also called for monitoring for suspicious activity and restricting exposure.
CISA adds CVE-2025-26399 to the KEV catalog
CISA added CVE-2025-26399 to its Known Exploited Vulnerabilities catalog after determining the SolarWinds Web Help Desk flaw was being actively exploited in the wild. The addition also placed the vulnerability under BOD 22-01 remediation requirements for U.S. federal civilian executive branch agencies.
SolarWinds patches CVE-2025-26399 in Web Help Desk 12.8.7 Hotfix 1
SolarWinds released Web Help Desk 12.8.7 Hotfix 1 as the earliest patched version addressing CVE-2025-26399, an unauthenticated remote code execution flaw in the AjaxProxy component. The issue was disclosed in 2025 and described as a bypass of fixes for CVE-2024-28988 and CVE-2024-28986.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.


