Critical Vulnerability in SolarWinds Web Help Desk
History:
- 24/09/2025 --- v1.0 -- Initial publication
Summary
On September 17, 2025, SolarWinds released a security advisory addressing a critical vulnerability in its Web Help Desk product. The fix provided as part of this advisory is a patch bypass of CVE-24-28988, which in turn is a patch bypass of CVE-2024-28986 [1].
It is recommended updating affected assets as soon as possible.
Technical Details
The vulnerability CVE-2025-26399, with a CVSS score of 9.8, an unauthenticated AjaxProxy deserialisation remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine [1].
Affected Products
SolarWinds Web Help Desk 12.8.7 and all previous versions are affected by this vulnerability.
Recommendations
It is recommended updating affected assets as soon as possible.
References
[1] https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399