Cybersecurity authorities have flagged a severe security flaw in SolarWinds Web Help Desk that requires immediate attention from system administrators.
Tracked as CVE-2025-26399, this vulnerability allows malicious actors to execute unauthorized commands directly on the host machine.
Because of its severity and active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has officially added this flaw to its Known Exploited Vulnerabilities catalog.
The core of the problem stems from a vulnerability known as “deserialization of untrusted data,” which is categorized under CWE-502.
This specific weakness exists in the AjaxProxy component of SolarWinds Web Help Desk.
SolarWinds Web Help Desk Deserialization
Deserialization is a normal computational process in which software unpacks formatted data into active objects that the system can read and use.
However, a serious security gap occurs when a system unpacks data from an untrusted or external source without proper safety checks.
In the context of this SolarWinds vulnerability, the AjaxProxy component fails to adequately verify the contents of incoming data packets before processing them.
By sending carefully crafted malicious payloads, threat actors can trick the application into executing harmful instructions directly in the system’s memory.
Once the malicious data is processed, the attacker can run arbitrary commands on the affected host.
This level of access is highly dangerous, as it essentially hands the attacker direct control over the server running the help desk software.
From there, an intruder could steal sensitive corporate data, manipulate user accounts, or pivot deeper into the internal network.
Currently, security researchers state that it remains unknown whether ransomware gangs are actively utilizing this specific vulnerability in their extortion campaigns.
However, CISA’s flagging indicates that threat actors are actively exploiting the flaw in real-world attacks.
Organizations running exposed instances of SolarWinds Web Help Desk are at high risk of immediate compromise.
Federal agencies and critical infrastructure operators are operating on an extremely tight timeline to secure their networks.
CISA added CVE-2025-26399 to its mandate list on March 9, 2026. Under Binding Operational Directive (BOD) 22-01, federal civilian executive branch agencies must resolve this vulnerability by March 12, 2026.
While this directive explicitly targets government agencies, private sector organizations are strongly urged to treat this deadline with equal urgency.
Security teams must take immediate action to protect their environments from compromise. CISA and security experts recommend the following actions:
- Apply the latest security patches provided by SolarWinds immediately to fix the AjaxProxy component.
- Follow applicable BOD 22-01 guidance specifically regarding the security of associated cloud services.
- Discontinue the use of the product entirely and disconnect it from the network if patches cannot be applied.
- Monitor network logs for unusual command execution, unexpected administrative access, or abnormal outbound traffic.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
