SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication.
Tracked as CVE-2025-26399, the security issue is the company’s third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions.
SolarWinds WHD is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance.
CVE-2025-26399 affects the latest WHD version 12.8.7 and is caused by unsafe deserialization handling in the AjaxProxy component. Successful exploitation allows an unauthenticated attacker to run commands on the host machine.
In a security bulletin, the vendor says that “this vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.”
Last August, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) marked the original SolarWinds flaw as being leveraged in attacks and added it to the Known Exploited Vulnerabilities (KEV) catalog.
The new security problem was reported to SolarWinds through the Trend Micro Zero Day Initiative (ZDI). At the time of writing there are no public reports about threat actors exploiting it.
Hotfix available
SolarWinds has released a hotfix that addresses CVE-2025-26399, which requires installing Web Help Desk version 12.8.7. To apply the security update, users are advised to follow these steps:
- Stop Web Help Desk
- Navigate to:
/bin/webapps/helpdesk/WEB-INF/lib/ (substitute depending on OS) - Back up and then delete: c3p0.jar
- Back up (to a separate directory): whd-core.jar, whd-web.jar, whd-persistence.jar
- Copy the hotfix-supplied JARs into the same /lib directory, overwriting the originals: whd-core.jar, whd-web.jar, whd-persistence.jar, plus add HikariCP.jar
- Restart Web Help Desk
The hotfix is exclusively available through the SolarWinds Customer Portal. More information on how to upgrade WHD is available here.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
