A critical vulnerability in SolarWinds Web Help Desk, identified as CVE-2025-26399, is currently being exploited in the wild, posing a severe threat to organizations using the software. This remote code execution (RCE) flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary commands on the host machine, leveraging a deserialization issue in the AjaxProxy component. The vulnerability is a patch bypass of a previous flaw, CVE-2024-28988, highlighting ongoing challenges in securing this platform.
The vulnerability was disclosed on September 23, 2025, and has since been added to CISA's Known Exploited Vulnerabilities (KEV) catalog as of March 9, 2026, underscoring its critical nature and the urgency for remediation. The Exploit Prediction Scoring System (EPSS) assigns it a probability of 0.293, indicating a significant likelihood of exploitation, which has already been confirmed in active attacks.
SolarWinds has responded by releasing a hotfix to address this vulnerability. However, the time-to-exploit (TTE) for this flaw was notably short, with attackers exploiting it within 166 days of its disclosure. This rapid exploitation timeline emphasizes the need for organizations to promptly apply patches and updates to mitigate potential risks.
The vulnerability stems from improper handling of serialized data, a common issue that can lead to severe security breaches if not properly managed. In this case, the flaw allows attackers to bypass authentication mechanisms and execute commands with the same privileges as the application, potentially leading to full system compromise.
Security experts recommend that organizations using SolarWinds Web Help Desk immediately apply the available hotfix to protect their systems. Additionally, they should review their security posture and consider implementing additional layers of security, such as network segmentation and intrusion detection systems, to further safeguard against exploitation attempts.
Given the critical nature of this vulnerability and its active exploitation, organizations should prioritize patching and closely monitor their systems for any signs of compromise. The inclusion of CVE-2025-26399 in the KEV catalog serves as a stark reminder of the persistent threats facing IT infrastructure and the importance of maintaining robust security practices.
CSURFACE