Skip to main content
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Unauthenticated AjaxProxy deserialization RCE in SolarWinds Web Help Desk

IdentifiersCVE-2025-26399CWE-502· Deserialization of Untrusted Data

CVE-2025-26399 is a critical deserialization of untrusted data vulnerability in the AjaxProxy component of SolarWinds Web Help Desk (WHD). The flaw stems from insufficient validation of attacker-controlled serialized data processed by AjaxProxy, allowing a remote, unauthenticated attacker to trigger unsafe deserialization and execute arbitrary commands on the underlying host. The issue affects SolarWinds Web Help Desk 12.8.7 and earlier, and is fixed in 12.8.7 Hotfix 1. Multiple sources in the provided content describe CVE-2025-26399 as a patch bypass of CVE-2024-28988, which itself was a bypass or incomplete fix for CVE-2024-28986, making this the third patch attempt for the same underlying weakness.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation results in unauthenticated remote code execution on the Web Help Desk server host. An attacker can run arbitrary commands on the affected machine, leading to full compromise of the application server and likely complete loss of confidentiality, integrity, and availability for that system. The provided content also indicates the flaw has been actively exploited in the wild for initial access, including in intrusions associated with ransomware activity, enabling follow-on actions such as credential theft, deployment of tooling, persistence, lateral movement, data theft, and further compromise of internal environments.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network exposure to the Web Help Desk instance as much as possible, especially from untrusted networks and the public internet. Monitor logs and host telemetry for unusual command execution, unexpected administrative access, suspicious outbound traffic, and indicators of post-exploitation activity. Additional EDR monitoring on the WHD host and surrounding infrastructure is advisable. If the product cannot be patched promptly, the provided content indicates organizations should consider discontinuing use or disconnecting the system from the network until remediation can be applied.

Remediation

Patch, then assume compromise.

Upgrade SolarWinds Web Help Desk to 12.8.7 Hotfix 1 or later. The content specifically identifies 12.8.7 Hotfix 1 as the earliest patched version and notes SolarWinds released hotfixes in September 2025 to address this issue. Because CVE-2025-26399 is described as a bypass of prior fixes for CVE-2024-28988 and CVE-2024-28986, organizations should verify they are running the current fixed build rather than relying on earlier patches alone. After patching, review the server for signs of prior exploitation, including unexpected process execution, suspicious outbound connections, unauthorized tooling, and anomalous administrative activity.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SolarWindsWeb Help Deskapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

154 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

154 SOURCESView more in app
techradarNews
Apr 20, 2026
Hackers hide ransomware tools inside virtual machines using QEMU, allowing attacks to remain largely invisible | TechRadar

A vulnerability in SolarWinds Web Help Desk used by attackers as an initial access vector in the STAC4713 campaign.

Read more
cyber security newsNews
Apr 20, 2026
Attackers Turn QEMU Into a Stealth Backdoor for Credential Theft and Ransomware

A vulnerability affecting SolarWinds Web Help Desk that is called out as needing patching to reduce exposure to active exploitation.

Read more
security affairsNews
Apr 18, 2026
Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

A vulnerability in SolarWinds Web Help Desk that was exploited for initial access and led to QEMU deployment in observed intrusions.

Read more
bleeping computerNews
Apr 17, 2026
Payouts King ransomware uses QEMU VMs to bypass endpoint security

A vulnerability in SolarWinds Web Help Desk observed being exploited in more recent attacks as an initial access vector.

Read more
+37 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware14

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity110

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-26399
NVD
nvd.nist.gov/vuln/detail/CVE-2025-26399
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Patch
solarwinds.com/trust-center/security-advisories/CVE-2025-26399
Third Party Advisory
microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk
Release Notes
documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399