On September 17, 2025, SolarWinds released a hotfix for a critical remote code execution vulnerability affecting its Web Help Desk software.
Three separate Common Vulnerabilities and Exposures (CVE) identifiers have been issued for the same underlying component of Web Help Desk - AjaxProxy. Each CVE identifier corresponds to a distinct vulnerability instance or a patch bypass within AjaxProxy.
CVE-2025-26399 affects SolarWinds Web Help Desk version 12.8.7 and all prior releases. It is described as insecure deserialization of untrusted data in the AjaxProxy endpoint, which is exposed by default. The flaw could allow malicious payloads sent by threat actors to be processed without validation, enabling remote code execution in the context of the system. It was rated with a Common Vulnerability Scoring System (CVSS) score of 9.8 out of 10, indicating critical severity.
No public proof-of-concept (PoC) has been released for CVE-2025-26399. However, the previous two CVEs were added to the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploited Vulnerabilities (KEV) catalog shortly after 2024 disclosure, indicating active exploitation in the wild.
On September 23, 2025, SolarWinds urged customers to upgrade to Web Help Desk version 12.8.7 Hotfix 1 to mitigate the issue.
The repeated patch bypasses suggest that the vulnerable code paths were not comprehensively addressed, leaving organizations exposed despite applying updates. Mitigation requires immediate application of the latest hotfix (12.8.7 HF1). SolarWinds has not provided alternative workarounds, and no configuration changes can fully eliminate the risk without patching.
Organizations should verify that the AjaxProxy endpoint is not exposed to untrusted networks and monitor for signs of exploitation. Given the history of patch bypasses, it is advisable to implement additional controls such as web application firewalls and network segmentation to reduce exposure.