SolarWinds has issued a critical hotfix to address a severe security vulnerability in its Web Help Desk (WHD) software. This flaw, identified as CVE-2025-26399 with a CVSS score of 9.8, could allow unauthenticated attackers to execute arbitrary commands on affected systems. The vulnerability affects WHD version 12.8.7 and all prior versions.
Nature of the Vulnerability
The issue stems from the deserialization of untrusted data within the AjaxProxy component of WHD. Deserialization vulnerabilities occur when an application processes serialized data without proper validation, potentially leading to remote code execution. In this case, the lack of validation in AjaxProxy allows attackers to exploit the system without needing authentication.
Discovery and Reporting
An anonymous researcher associated with the Trend Micro Zero Day Initiative (ZDI) discovered and reported this vulnerability. ZDI has highlighted the severity of the flaw, noting that it enables remote attackers to execute code in the context of the SYSTEM account, which has extensive privileges on Windows systems.
Historical Context
This vulnerability is particularly concerning as it represents a bypass of previous patches. In August 2024, SolarWinds addressed a similar deserialization vulnerability, CVE-2024-28986, which was actively exploited in the wild. Subsequently, a patch bypass was identified as CVE-2024-28988, leading to further remediation efforts. The current flaw, CVE-2025-26399, indicates that previous fixes were insufficient, necessitating this latest hotfix.
Recommendations for Users
While there is no current evidence of active exploitation of CVE-2025-26399, the history of similar vulnerabilities being exploited suggests a high risk. Users are strongly advised to update their Web Help Desk installations to version 12.8.7 HF1 immediately to mitigate potential threats.
Broader Implications
SolarWinds has been at the center of significant cybersecurity incidents, most notably the 2020 supply chain attack attributed to Russia’s Foreign Intelligence Service (SVR). This attack compromised multiple Western government agencies and underscored the critical importance of securing software supply chains. The recurrence of vulnerabilities in SolarWinds products highlights the ongoing challenges in maintaining software security and the necessity for continuous vigilance and prompt patching.
