CVE-2025-26399 is a critical remote code execution (RCE) vulnerability affecting SolarWinds Web Help Desk versions 12.8.7 and below. The vulnerability stems from the deserialization of untrusted data within an unauthenticated AjaxProxy component. Deserialization vulnerabilities occur when untrusted input is processed by an application’s deserialization routines, potentially allowing attackers to craft malicious serialized objects that execute arbitrary code upon deserialization. This specific flaw is a patch bypass of two previous vulnerabilities (CVE-2024-28988 and CVE-2024-28986), indicating that prior fixes were circumvented, and the underlying insecure deserialization issue remains exploitable. The vulnerability requires no authentication or user interaction, making it highly accessible to remote attackers. The CVSS v3.1 score of 9.8 reflects its critical nature, with attack vector being network-based, low attack complexity, no privileges required, and no user interaction needed. Successful exploitation allows an attacker to execute arbitrary commands on the host machine running the SolarWinds Web Help Desk application, potentially leading to full system compromise, data theft, lateral movement within networks, and disruption of IT service management operations. The lack of available patches at the time of publication further exacerbates the risk, as organizations must rely on mitigations until official fixes are released. Given SolarWinds Web Help Desk’s role in IT service management, exploitation could severely impact incident response and operational continuity.

For European organizations, the impact of CVE-2025-26399 is significant due to the widespread use of SolarWinds Web Help Desk in managing IT support and service operations. A successful attack could lead to unauthorized access to sensitive internal systems, disruption of help desk services, and potential exposure of confidential data, including personal data protected under GDPR. The ability to execute arbitrary commands on the host system could allow attackers to deploy ransomware, steal intellectual property, or establish persistent footholds for further attacks. This could result in operational downtime, financial losses, reputational damage, and regulatory penalties. Critical infrastructure operators and enterprises relying on SolarWinds for IT service management are particularly at risk, as disruption in help desk services can delay incident resolution and exacerbate security incidents. The unauthenticated nature of the vulnerability increases the likelihood of exploitation attempts, especially in environments exposed to the internet or with insufficient network segmentation.

1. Immediate network-level controls: Restrict access to SolarWinds Web Help Desk interfaces using firewalls or VPNs to limit exposure to trusted internal networks only. 2. Implement Web Application Firewalls (WAFs) with custom rules to detect and block suspicious deserialization payloads or anomalous AjaxProxy requests. 3. Monitor network traffic and application logs for unusual activity indicative of exploitation attempts, such as unexpected serialized object payloads or command execution traces. 4. Apply strict input validation and deserialization controls where possible, including disabling or sandboxing deserialization features if configurable. 5. Maintain up-to-date backups and incident response plans to quickly recover from potential compromises. 6. Engage with SolarWinds for timely patch deployment once available, and prioritize patching in asset management processes. 7. Conduct internal audits to identify all instances of SolarWinds Web Help Desk and assess exposure levels. 8. Educate IT and security teams about this vulnerability to increase vigilance and rapid response capability.