Listen to this Post
The vulnerability CVE-2025-26399 is a critical unauthenticated remote code execution (RCE) flaw in SolarWinds Web Help Desk, specifically within the AjaxProxy functionality . It represents a patch bypass of two previous CVEs: CVE-2024-28988 (which was a bypass of the original CVE-2024-28986) . The root cause is insecure deserialization of untrusted data by the jabsorb library used in the AjaxProxy component . To exploit this, an attacker must chain it with another bypass, such as CVE-2025-40536, to circumvent CSRF validation by adding a fake URI parameter containing “/ajax/” . Once the security controls are bypassed, the attacker can access the AjaxProxy functionality . The core issue is that previous patches only sanitized JSON payloads when the request URI contained the string “ajax” . By changing the request path to avoid including “ajax”, an attacker can bypass the sanitization entirely . Additionally, a blacklist function meant to reject suspicious payloads can be bypassed by prepending whitelisted Java terms to a malicious JNDI lookup payload . Successful exploitation triggers a JNDI lookup, leading to arbitrary code execution on the host machine with high privileges .
Platform: SolarWinds Web Help Desk
Version: 12.8.7 and prior
Vulnerability : AjaxProxy Deserialization RCE
Severity: Critical
date: September 23, 2025
Prediction: Already patched (Hotfix 1)
What Undercode Say:
Analytics:
To detect potential exploitation, monitor for processes spawned by the Web Help Desk service. Use the following Splunk search query to find suspicious command-line activity .
index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 | search Image="java.exe" ParentImage="webhelpdesk" | table _time, ComputerName, User, ParentImage, Image, CommandLine
For Linux-based hosts, audit process creation logs via auditd. The following command can be used to watch for `java` executions from the webhelpdesk directory .
auditctl -w /usr/local/webhelpdesk -p wa -k webhelpdesk_process ausearch -k webhelpdesk_process --format text
Network-level analytics should focus on outbound JNDI/LDAP connections, which are common for deserialization exploits. The following Snort rule can alert on potential exploitation traffic .
alert tcp $HOME_NET any -> $EXTERNAL_NET $PORT (msg:"SolarWinds WHD Potential JNDI Lookup"; content:"|16 2f|"; depth:2; byte_test:1, &, 0x80, 0, relative; content:"ldap://"; nocase; threshold:type limit, track by_src, seconds 60, count 1; sid:10000001; rev:1;)
How Exploit:
The attack chain begins with an unauthenticated request to establish a session and extract a Session ID and CSRF token . The attacker then bypasses CSRF protection by adding a fake parameter containing `/ajax/` to a request for the `LoginPref` component . This allows the creation of an `AjaxProxy` instance. The attacker then crafts a specific JSON-RPC request to the vulnerable endpoint, bypassing the blacklist by prefixing a whitelisted term (e.g., java.lang.ProcessBuilder) to a malicious JNDI payload . The final payload triggers a JNDI lookup to an attacker-controlled server, which returns a malicious Java class that executes arbitrary system commands . A proof-of-concept using a tool like Nuclei might look like this :
nuclei -t cves/2025/CVE-2025-40551.yaml -u https://target-victim.com
Protection from this CVE:
The primary protection is to immediately install the official hotfix, upgrading to SolarWinds Web Help Desk version 12.8.7 HF1 or higher . The hotfix replaces several JAR files and introduces a new one to properly remediate the deserialization flaw .
Example commands to apply hotfix on Linux systemctl stop webhelpdesk cd /usr/local/webhelpdesk/bin/webapps/helpdesk/WEB-INF/lib/ cp whd-core.jar /backup/ cp whd-web.jar /backup/ cp whd-persistence.jar /backup/ rm c3p0.jar cp /path/to/hotfix/.jar . systemctl start webhelpdesk
If immediate patching is not possible, restrict network access to the Web Help Desk application to trusted internal IPs only via firewall rules . Deploy and tune virtual patching or IPS signatures, such as SonicWall’s IPS 21895 and 21896, to detect and block exploitation attempts .
Impact:
Successful exploitation grants an unauthenticated attacker remote code execution on the host system with the privileges of the Web Help Desk application, which often runs with elevated rights . This allows attackers to install backdoors, steal credentials via LSASS access, deploy ransomware, and use the compromised host as a foothold for lateral movement across the network . In observed intrusions, attackers used this access to deploy legitimate RMM tools like ManageEngine, establish reverse SSH tunnels, and perform DCSync attacks to compromise entire domains . The vulnerability’s inclusion in CISA’s KEV catalog confirms its active exploitation in the wild, posing a significant risk to enterprise IT operations and critical infrastructure .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

