SolarWinds on Tuesday announced a hotfix for a remote code execution (RCE) vulnerability in Web Help Desk, and this is the third time it attempts to address the issue.
The newly disclosed bug, tracked as CVE-2025-26399 (CVSS score of 9.8), is described as an unauthenticated AjaxProxy deserialization RCE flaw that could allow attackers to execute commands on the host machine.
“This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986,” SolarWinds notes in an advisory released last week.
The original security defect, tracked as CVE-2024-28986 (CVSS score of 9.8), a Java deserialization RCE bug that was reported as being exploitable without authentication, was flagged as exploited only days after SolarWinds released a hotfix in August 2024.
Within a week, the company released a second hotfix that addressed another critical vulnerability in the product, CVE-2024-28987 (CVSS score of 9.1), which removed hardcoded credentials exposed during the deployment of the first hotfix.
In mid-October 2024, on the same day the US cybersecurity agency CISA warned that the hardcoded credentials had been exploited in attacks, SolarWinds announced a third hotfix that also resolves CVE-2024-28988 (CVSS score of 9.8), another Java deserialization RCE in the AjaxProxy.
“This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research, SolarWinds said at the time.
Now, the company explains that the newly disclosed CVE-2025-26399 is its third attempt at patching the deserialization RCE, and that an anonymous security researcher working with Trend Micro ZDI discovered it.
While there have been no reports of CVE-2024-28988 being exploited in the wild, users are advised to apply the hotfix for its bypass as soon as possible, given the critical severity of the issue and the previous exploitation of the initial vulnerability.
“The original bug was actively exploited in the wild, and while we’re not yet aware of active exploitation of this latest patch bypass, history suggests it’s only a matter of time,” watchTowr head of threat intelligence Ryan Dewhurst said.
SolarisWinds released Web Help Desk 12.8.7 Hotfix 1 to address CVE-2025-26399. The release notes contain detailed instructions on how to apply the hotfix.
Related: Fortra Patches Critical GoAnywhere MFT Vulnerability
Related: Chrome 140 Update Patches Sixth Zero-Day of 2025
Related: Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities
Related: Payment System Vendor Took Year+ to Patch Infinite Card Top-Up Hack: Security Firm
