Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

Unauthenticated Java Deserialization RCE in SolarWinds Web Help Desk AjaxProxy

IdentifiersCVE-2024-28988CWE-502· Deserialization of Untrusted Data

CVE-2024-28988 is a critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk (WHD). According to the provided content, the flaw resides in the AjaxProxy component and is caused by deserialization of untrusted data due to insufficient validation of attacker-supplied input. SolarWinds describes it as a Java deserialization issue that allows a remote attacker to run commands on the host machine without authentication. The content further states that CVE-2024-28988 was itself a patch bypass for CVE-2024-28986, indicating the prior remediation did not fully eliminate the reachable insecure deserialization path(s) in WHD.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code/commands on the underlying Web Help Desk host. The provided content indicates execution may occur in a highly privileged context on Windows deployments, potentially SYSTEM. This can result in full compromise of confidentiality, integrity, and availability of the WHD server, including installation of malware, modification or deletion of data, credential theft, persistence, and use of the server as a pivot into the internal environment.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of the WHD application by removing direct Internet access, restricting access to the AjaxProxy/WHD interface to trusted administrative networks or VPN-only access, and monitoring for suspicious process execution and outbound connections from the WHD host. Review WHD and web access logs for exploitation attempts against AjaxProxy and prepare for incident response if compromise indicators are found. These measures are compensating controls only and do not fully remediate the vulnerability.

Remediation

Patch, then assume compromise.

Apply the vendor patch/hotfix released by SolarWinds for CVE-2024-28988. Because the provided content explicitly states that later vulnerabilities, including CVE-2025-26399, bypassed the CVE-2024-28988 fix, remediation should not rely on the CVE-2024-28988 patch alone if newer fixes are available. Upgrade to the latest supported SolarWinds Web Help Desk release that supersedes the vulnerable code paths and addresses subsequent bypasses as well.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SolarWindsWeb Help Deskapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

32 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

32 SOURCESView more in app
netspi feedNews
Mar 10, 2026
CVE-2025-26399 SolarWinds Web Help Desk Overview and Takeaways - NetSPI

Prior SolarWinds Web Help Desk vulnerability whose patches can be bypassed by CVE-2025-26399 (details not provided in the content).

Read more
cyberthroneNews
Mar 10, 2026
CISA KEV Catalog Update - March 9 2026 - TheCyberThrone

A prior SolarWinds Web Help Desk vulnerability referenced as having an incomplete fix that is bypassed by CVE-2025-26399.

Read more
cyberthroneNews
Mar 10, 2026
CISA KEV Catalog Update - March 9 2026 - TheCyberThrone

A prior SolarWinds Web Help Desk vulnerability referenced as an incomplete fix that was bypassed by CVE-2025-26399.

Read more
watchtowr labsNews
Feb 25, 2026
Buy A Help Desk, Bundle A Remote Access Solution? (SolarWinds Web Help Desk Pre-Auth RCE Chain(s))

Pre-auth deserialization RCE in SolarWinds Web Help Desk reported via ZDI; disclosed Oct 2024 and patched June 2025; later patches were bypassed by subsequent issues per the content.

Read more
+11 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity17

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2024-28988
NVD
nvd.nist.gov/vuln/detail/CVE-2024-28988
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Patch
solarwinds.com/trust-center/security-advisories/CVE-2024-28988