SolarWinds has fixed yet another unauthenticated remote code execution vulnerability (CVE-2025-26399) in Web Help Desk (WHD), its popular web-based IT ticketing and asset management solution.
While the vulnerability is currently not being leveraged by attackers, they might soon reverse-engineer the hotfix and create a working exploit. As watchTowr researchers noted, “given SolarWinds’ past, in-the-wild exploitation is highly likely.”
About CVE-2025-26399
“[CVE-2025-26399] exists within the AjaxProxy class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data,” Trend Micro’s Zero Day Initiative explained.
The vulnerability can be exploited without prior authentication. Successful exploitation allows remote attackers to execute arbitrary code on vulnerable SolarWinds WHD installations.
Due to the solution’s nature, a compromised WHD instance could reveal a lot of sensitive information.
CVE-2025-26399 affects SolarWinds WHD version 12.8.7 and is (hopefully fully) addressed in 12.8.7 Hotfix 1.
The urgency to apply the fix comes from the fact that CVE-2025-26399 is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986, which ended up being exploited by attackers soon after the release of a fix.
The good news is that here’s currently no public proof-of-concept exploit available for CVE-2025-26399.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
Source link
