Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
CriticalCISA KEVExploited in the wildPublic exploit

Unauthenticated AjaxProxy Deserialization RCE in SolarWinds Web Help Desk

IdentifiersCVE-2025-26399CWE-502· Deserialization of Untrusted Data

CVE-2025-26399 is a critical unauthenticated remote code execution vulnerability in the AjaxProxy component of SolarWinds Web Help Desk (WHD). The flaw is caused by deserialization of untrusted data: the AjaxProxy endpoint accepts attacker-controlled serialized input and deserializes it without sufficient validation, enabling execution of attacker-controlled code or commands on the underlying host. The issue affects SolarWinds Web Help Desk 12.8.7 and earlier, and is fixed in 12.8.7 Hotfix 1. The vulnerability is notable because it is described as a patch bypass of CVE-2024-28988, which itself was a bypass of CVE-2024-28986, indicating prior remediations did not fully eliminate the underlying insecure deserialization attack surface in AjaxProxy.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary commands/code on the SolarWinds Web Help Desk host with the privileges of the vulnerable service. This can result in full compromise of the application server, including theft of sensitive data, credential access, lateral movement, persistence, deployment of additional tooling or malware, and service disruption. The vulnerability has been reported as actively exploited in the wild and has been used for initial access in real intrusions.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network access to the Web Help Desk server and specifically the AjaxProxy-reachable interface to trusted administrative networks only, or remove the system from internet exposure. Use segmentation, reverse-proxy/WAF controls where feasible, and monitor for suspicious requests to AjaxProxy, anomalous command execution, unexpected child processes from the WHD service, and unusual outbound traffic. Increase EDR coverage and log review on the host. If the product cannot be patched promptly, disconnect or discontinue use until remediation can be completed.

Remediation

Patch, then assume compromise.

Upgrade SolarWinds Web Help Desk to 12.8.7 Hotfix 1 or later. Because CVE-2025-26399 is a bypass of earlier fixes for CVE-2024-28988 and CVE-2024-28986, prior patch levels are not sufficient. Apply the vendor hotfix/release specifically addressing CVE-2025-26399 and verify that exposed WHD instances are updated to the fixed build. After patching, review the system for indicators of compromise, including unexpected process execution, suspicious outbound connections, unauthorized scheduled tasks, credential access activity, and other signs of post-exploitation.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SolarWindsWeb Help Deskapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

155 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

155 SOURCESView more in app
techradarNews
Apr 20, 2026
Hackers hide ransomware tools inside virtual machines using QEMU, allowing attacks to remain largely invisible | TechRadar

A vulnerability in SolarWinds Web Help Desk used by attackers as an initial access vector in the STAC4713 campaign.

Read more
cyber security newsNews
Apr 20, 2026
Attackers Turn QEMU Into a Stealth Backdoor for Credential Theft and Ransomware

A vulnerability affecting SolarWinds Web Help Desk that is called out as needing patching to reduce exposure to active exploitation.

Read more
security affairsNews
Apr 18, 2026
Hidden VMs: how hackers leverage QEMU to stealthily steal data and spread malware

A vulnerability in SolarWinds Web Help Desk that was exploited for initial access and led to QEMU deployment in observed intrusions.

Read more
bleeping computerNews
Apr 17, 2026
Payouts King ransomware uses QEMU VMs to bypass endpoint security

A vulnerability in SolarWinds Web Help Desk observed being exploited in more recent attacks as an initial access vector.

Read more
+38 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence3

Every observed campaign linking this CVE to a named adversary.

Associated malware14

Malware families riding this exploit, with evidence and IOCs.

Detection signatures2

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity110

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-26399
NVD
nvd.nist.gov/vuln/detail/CVE-2025-26399
MITRE CWE · CWE-502
Deserialization of Untrusted Data
Patch
solarwinds.com/trust-center/security-advisories/CVE-2025-26399
Third Party Advisory
microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk
Release Notes
documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399