Introduction
Attackers can achieve remote code execution on SolarWinds Web Help Desk servers without authentication, leveraging a deserialization flaw in the AjaxProxy component. This vulnerability has enabled threat actors to bypass multiple previous patches, exposing organizations to repeated compromise even after diligent patching efforts.
SolarWinds Web Help Desk is a widely used IT service management solution, deployed by enterprises and government agencies for ticketing, asset management, and workflow automation. The platform has a significant footprint in the ITSM market, and its security posture directly impacts the operational resilience of thousands of organizations worldwide.
Technical Information
CVE-2025-26399 is an unauthenticated remote code execution vulnerability in the AjaxProxy component of SolarWinds Web Help Desk. The root cause is insecure deserialization of untrusted data (CWE-502). Attackers can send crafted serialized payloads to the AjaxProxy endpoint, which the server then deserializes without proper validation. This process can trigger execution of attacker-controlled code on the host system.
This vulnerability is a direct patch bypass of CVE-2024-28988, which itself bypassed the fix for CVE-2024-28986. The repeated bypasses indicate that the deserialization logic in AjaxProxy was not comprehensively secured. Each patch iteration failed to address all exploitable code paths or gadget chains, leaving the core deserialization mechanism exposed to alternative exploitation techniques.
No public code snippets or proof of concept are available for this vulnerability. However, the attack does not require authentication, making exploitation feasible by any remote attacker with network access to the vulnerable endpoint. The attack surface is the AjaxProxy endpoint, which is accessible in default installations of affected versions.
Affected Systems and Versions
- SolarWinds Web Help Desk versions prior to 12.8.7 Hotfix 1 are affected
- Vulnerable configurations include default and custom deployments where the AjaxProxy endpoint is accessible
- Previous patches for CVE-2024-28986 and CVE-2024-28988 do not fully mitigate this issue
Vendor Security History
SolarWinds has a history of critical vulnerabilities in Web Help Desk, particularly related to Java deserialization (CVE-2024-28986, CVE-2024-28988). Patches for these issues were bypassed by subsequent vulnerabilities, indicating incomplete remediation. The company has demonstrated rapid patch response in some cases, but the repeated bypasses raise concerns about the thoroughness of their security review and patch validation processes. SolarWinds also suffered a major supply chain compromise in 2020 affecting its Orion platform, highlighting persistent challenges in secure software development.