Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

SolarWinds Web Help Desk AjaxProxy Java Deserialization RCE

IdentifiersCVE-2024-28986CWE-502· Deserialization of Untrusted Data

CVE-2024-28986 is a critical remote code execution vulnerability in SolarWinds Web Help Desk (WHD) caused by unsafe Java deserialization in the AjaxProxy functionality. The issue allows attacker-controlled data sent to the AjaxProxy endpoint to be deserialized and used to execute commands on the underlying host. Multiple supporting references in the provided content describe the flaw as an AjaxProxy deserialization issue in WHD and note that it was initially reported as unauthenticated/pre-auth remote code execution, although SolarWinds stated it could not reproduce exploitation without authentication during its own testing. The vulnerability was significant enough that later issues, including CVE-2024-28988 and CVE-2025-26399, were described as patch bypasses of this original flaw, indicating the underlying deserialization attack surface was not fully remediated in early fixes.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary command execution on the SolarWinds Web Help Desk host, leading to full compromise of confidentiality, integrity, and availability of the affected system. Because WHD commonly operates as an internal IT service management platform, compromise may also expose ticketing data, asset information, credentials, workflow data, and provide a foothold for lateral movement into broader enterprise infrastructure. The content also indicates the vulnerability was exploited in the wild and added to CISA’s Known Exploited Vulnerabilities catalog shortly after disclosure.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to the Web Help Desk instance, especially any exposure of the AjaxProxy endpoint to untrusted networks. Limit access to trusted administrative networks or VPN users, monitor for suspicious requests targeting AjaxProxy or Helpdesk.woa paths, review WHD logs for deserialization/JSONRPC anomalies and unexpected process execution, and deploy endpoint monitoring to detect command execution or post-exploitation behavior on the WHD host. These measures reduce exposure but do not eliminate the underlying vulnerability.

Remediation

Patch, then assume compromise.

Apply the vendor patch released by SolarWinds for CVE-2024-28986 and ensure subsequent fixes addressing bypasses are also installed, as later content indicates the original remediation was incomplete and was bypassed by CVE-2024-28988 and then CVE-2025-26399. Organizations should verify they are running a version that includes the final effective fix for the AjaxProxy deserialization weakness rather than relying solely on the initial 2024 patch level.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SolarWindsWeb Help Deskapplication
SolarWindsWebhelpdeskapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

35 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

35 SOURCESView more in app
cso onlineNews
Mar 11, 2026
CISA warns of actively exploited Ivanti EPM and Cisco SD-WAN flaws | CSO Online

An older Java deserialization vulnerability referenced as having been exploited in the wild soon after being patched; CVE-2025-26399 is described as a bypass to it.

Read more
netspi feedNews
Mar 10, 2026
CVE-2025-26399 SolarWinds Web Help Desk Overview and Takeaways - NetSPI

Prior SolarWinds Web Help Desk vulnerability whose patches can be bypassed by CVE-2025-26399 (details not provided in the content).

Read more
cyberthroneNews
Mar 10, 2026
CISA KEV Catalog Update - March 9 2026 - TheCyberThrone

An earlier SolarWinds Web Help Desk vulnerability referenced as the original issue underlying later patch-bypass iterations (including CVE-2024-28988 and CVE-2025-26399).

Read more
cyberthroneNews
Mar 10, 2026
CISA KEV Catalog Update - March 9 2026 - TheCyberThrone

The original SolarWinds Web Help Desk vulnerability in the lineage that later saw an incomplete fix (CVE-2024-28988) and a subsequent bypass (CVE-2025-26399).

Read more
+17 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity14

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-28986
NVD
nvd.nist.gov/vuln/detail/CVE-2024-28986
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Vendor Advisory
solarwinds.com/trust-center/security-advisories/CVE-2024-28986
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28986