Full Report
A vulnerability has been discovered in SolarWinds Web Help Desk, which could allow for remote code execution. SolarWinds Web Help Desk (WHD) is a web-based software that provides IT help desk and asset management functionality, allowing IT teams to manage service requests, track IT assets, and offer self-service options to end-users. Successful exploitation of this vulnerability could allow an actor to execute code in the context of SYSTEM. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Analysis Summary
# Vulnerability: SolarWinds Web Help Desk Deserialization RCE (Patch Bypass)
## CVE Details
- CVE ID: CVE-2025-26399
- CVSS Score: Information not explicitly provided, but context suggests **Critical** severity due to SYSTEM context RCE. (Severity inferred: High/Critical)
- CWE: Deserialization of Untrusted Data (Implied based on "deserialization remote code execution vulnerability")
## Affected Systems
- Products: SolarWinds Web Help Desk (WHD)
- Versions: 12.8.7 and all previous versions
- Configurations: Applies generally to WHD installations accessible to an attacker.
## Vulnerability Description
This vulnerability is an unauthenticated **AjaxProxy deserialization remote code execution (RCE)** flaw in SolarWinds Web Help Desk. If successfully exploited, this flaw would allow an attacker to run arbitrary commands on the host machine with **SYSTEM** privileges. This specific vulnerability is noted as a patch bypass targeting vulnerabilities patched in earlier advisories (specifically bypassing fixes for CVE-2024-28988 and CVE-2024-28986).
## Exploitation
- Status: Not exploited in the wild (as of advisory date).
- Complexity: Likely **Low/Medium**, given the Tactic of Initial Access via Exploiting a Public-Facing Application (T1190) and the lack of authentication requirement.
- Attack Vector: Network (Remote)
## Impact
- Confidentiality: High (Ability to view, change, or delete data)
- Integrity: High (Ability to change or delete data, install programs)
- Availability: High (Code execution leading to system compromise)
## Remediation
### Patches
- Apply appropriate updates provided by SolarWinds immediately after testing. (Specific new version number not provided in text, but patching is the primary immediate recommendation).
### Workarounds
- No specific workarounds are detailed in the provided summary, other than the general recommendations concerning vulnerability management processes. (Note: Given RCE, immediate patching is strongly implied over relying on temporary workarounds.)
## Detection
- **Indicators of Compromise:** Successful exploitation would manifest as unexpected processes spawned under the SYSTEM context originating from the SolarWinds WHD service/application.
- **Detection Methods and Tools:** Focus on monitoring WHD application logs for unusual request patterns associated with AjaxProxy endpoints and deviations from expected behavior on the host system (e.g., new service creation, unauthorized file modifications). Implement Exploit Protection features (DEP, WDEG/SIP).
## References
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26399
- SolarWinds: https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399
- ZDI: https://www.zerodayinitiative.com/advisories/ZDI-25-407/