SolarWinds has issued a hotfix to address a critical remote code execution (RCE) vulnerability in its Web Help Desk (WHD) software, CVE-2025-26399, which affects version 12.8.7 and all earlier releases. The flaw stems from unsafe deserialization in the AjaxProxy component and is an unauthenticated exploit, meaning attackers don’t need valid credentials to leverage it. This latest patch is described by SolarWinds as a patch bypass of two earlier vulnerabilities—CVE-2024-28988 and CVE-2024-28986—both of which had already been addressed in previous hotfixes. Although there’s no definitive evidence yet that CVE-2025-26399 is being exploited in the wild, security professionals warn that given the history of the prior flaws being used in attacks, it’s likely only a matter of time before threat actors attempt to use this one.
Sources: Hacker News, The Register, SecurityWeek
Key Takeaways
– Repeated patch bypasses undermine confidence: The new CVE-2025-26399 is not a wholly new vulnerability but a bypass of prior fixes (CVE-2024-28988 and CVE-2024-28986). This suggests earlier patches didn’t fully close the exploit path.
– Unauthenticated remote code execution is serious: Since the flaw is exploitable without authentication, any exposed, unpatched instance of WHD is at high risk. Attackers could execute system‐level commands remotely.
– Urgency in patching despite no known exploitation yet: Even though there’s no confirmed exploitation of the latest flaw, history shows that once such vulnerabilities are public, malicious actors move quickly. Proactive patching is strongly recommended.
In‐Depth
SolarWinds is urging users of its Web Help Desk (WHD) product to immediately apply Hotfix 1 for version 12.8.7 to address CVE-2025-26399, an especially serious vulnerability (CVSS 9.8) that permits remote code execution via unsafe deserialization in the AjaxProxy component. What’s particularly troubling is that this isn’t a new class of issue but rather the third iteration in a chain of fallback vulnerabilities: first CVE-2024-28986, then CVE-2024-28988, and now this one. The earlier bugs were patched, but attackers discovered bypasses each time, exposing systems again.
Because the exploit does not require authentication, it dramatically reduces the barrier for attackers. Anybody who can reach an unpatched Web Help Desk installation could potentially execute arbitrary code with the privileges permitted by the system context. Although SolarWinds and affiliated security researchers, including Trend Micro’s Zero Day Initiative (ZDI), have not yet observed attacks leveraging CVE-2025-26399, the precedent is worrying: CVE-2024-28986 was actively exploited in the wild, and once a vulnerability is disclosed, risk tends to follow fast.
To safeguard against this current vulnerability, SolarWinds has provided step‐by‐step instructions for applying the hotfix: replacing specific JAR files (including removing the c3p0.jar, backing up critical JARs, and integrating the new supplied ones along with HikariCP.jar) in the Web Help Desk’s lib folder, then restarting the service.
The vendor stresses updating immediately, even if an organization had applied earlier patches assuming they were sufficient. In summary, this episode underscores how crucial it is that patches are reviewed thoroughly, tested under diverse conditions, and validated in the field—because partial fixes or bypasses leave the door open. The chain of bypasses here is a warning signal: in cyber defense, closing a vulnerability properly the first time matters.