SolarWinds has released a hotfix for its Web Help Desk (WHD) software after the discovery of a critical remote code execution (RCE) vulnerability tracked as CVE-2025-26399. The flaw, rated CVSS 9.8, stems from an unauthenticated AjaxProxy deserialization issue and has been identified as a patch bypass of earlier vulnerabilities (CVE-2024-28988 and CVE-2024-28986).
According to the advisory, “SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.”
The report highlights that this flaw continues a worrying trend of patch bypasses:
- CVE-2024-28986 → Original deserialization flaw.
- CVE-2024-28988 → First patch bypass.
- CVE-2025-26399 → Second patch bypass, now addressed in this hotfix.
The vulnerability was responsibly disclosed by an anonymous researcher working with Trend Micro’s Zero Day Initiative (ZDI).
Because the flaw is unauthenticated, attackers can exploit it without needing valid credentials. Successful exploitation would allow adversaries to execute arbitrary commands on the underlying server — a full system compromise risk.
This makes CVE-2025-26399 particularly dangerous for organizations that expose Web Help Desk instances to the internet without proper segmentation or additional layers of defense.
The hotfix is available for Web Help Desk 12.8.7 and provides updated libraries to mitigate the vulnerability. Specifically, it:
- Adds HikariCP.jar
- Modifies whd-core.jar, whd-web.jar, and whd-persistence.jar within the /lib directory.
Administrators are required to:
- Stop Web Help Desk.
- Remove the outdated c3p0.jar.
- Back up and replace the affected JAR files with those from the hotfix.
- Restart Web Help Desk to apply the patch.
- CISA Warns Actively Exploited Vulnerabilities, Including Windows Kernel Flaw and Firefox Zero-Day
- SolarWinds Web Help Desk Hit by Critical Vulnerability (CVE-2024-28987)
- SolarWinds Patches Multiple Critical Vulnerabilities in Access Rights Manager
- Broadcom Urges Immediate Patching for Critical Symantec PAM Vulnerabilities
