Full Report
SolarWinds security advisory (AV25-613) – Update 1
Analysis Summary
# Vulnerability: SolarWinds Web Help Desk AjaxProxy Remote Code Execution
## CVE Details
- **CVE ID:** CVE-2025-26399
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- **Products:** SolarWinds Web Help Desk (WHD)
- **Versions:** Version 12.8.7 and all prior versions.
- **Configurations:** Systems running the AjaxProxy component within the Web Help Desk application.
## Vulnerability Description
The vulnerability is a Java Deserialization flaw located in the `AjaxProxy` component of SolarWinds Web Help Desk. The application fails to properly validate or sanitize untrusted data during the deserialization process. A remote, unauthenticated attacker can exploit this by sending a specially crafted malicious serialized object to the affected endpoint, allowing for arbitrary code execution (RCE) in the context of the application.
## Exploitation
- **Status:** **Exploited in the wild**. This CVE was added to the CISA Known Exploited Vulnerabilities (KEV) catalog on March 9, 2026.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full access to application data and underlying system files)
- **Integrity:** High (Ability to modify data, plant backdoors, or alter system configurations)
- **Availability:** High (Potential for system takeover or service disruption)
## Remediation
### Patches
SolarWinds has released updates to address this vulnerability. Users are urged to upgrade to the latest secure version:
- **SolarWinds Web Help Desk 12.8.3 Hotfix 1** (or the latest available version post-12.8.7).
- *Note: It is recommended to consult the SolarWinds Trust Center for the specific version-mapped patch for your deployment.*
### Workarounds
No specific official workarounds were provided in the advisory; administrative action is limited to patching or restricting network access to the Web Help Desk portal until updates are applied.
## Detection
- **Indicators of compromise:** Monitor web server logs for unusual POST requests directed at the `AjaxProxy` servlet or Java-related error stacks in logs associated with deserialization failures.
- **Detection methods and tools:**
- Utilize CISA’s KEV catalog to cross-reference vulnerable instances.
- Deploy EDR/IDS signatures capable of identifying Java serialized objects (starting with hex headers `AC ED 00 05`) being sent to the WHD web interface.
## References
- SolarWinds Security Advisory (CVE-2025-26399): hxxps[://]www[.]solarwinds[.]com/trust-center/security-advisories/cve-2025-26399
- SolarWinds Trust Center: hxxps[://]www[.]solarwinds[.]com/trust-center/security-advisories
- CISA Known Exploited Vulnerabilities Catalog: hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2025-26399
- Canadian Centre for Cyber Security Advisory: hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/solarwinds-security-advisory-av25-613-update-1