SolarWinds Web Help Desk, Deserialization RCE, CVE-2025-26399 (Critical)

Listen to this Post

The vulnerability CVE-2025-26399 is a critical unauthenticated remote code execution (RCE) flaw in SolarWinds Web Help Desk, specifically within the AjaxProxy functionality . It represents a patch bypass of two previous CVEs: CVE-2024-28988 (which was a bypass of the original CVE-2024-28986) . The root cause is insecure deserialization of untrusted data by the jabsorb library used in the AjaxProxy component . To exploit this, an attacker must chain it with another bypass, such as CVE-2025-40536, to circumvent CSRF validation by adding a fake URI parameter containing “/ajax/” . Once the security controls are bypassed, the attacker can access the AjaxProxy functionality . The core issue is that previous patches only sanitized JSON payloads when the request URI contained the string “ajax” . By changing the request path to avoid including “ajax”, an attacker can bypass the sanitization entirely . Additionally, a blacklist function meant to reject suspicious payloads can be bypassed by prepending whitelisted Java terms to a malicious JNDI lookup payload . Successful exploitation triggers a JNDI lookup, leading to arbitrary code execution on the host machine with high privileges .
Platform: SolarWinds Web Help Desk
Version: 12.8.7 and prior
Vulnerability : AjaxProxy Deserialization RCE
Severity: Critical
date: September 23, 2025

Prediction: Already patched (Hotfix 1)

What Undercode Say:

Analytics:

To detect potential exploitation, monitor for processes spawned by the Web Help Desk service. Use the following Splunk search query to find suspicious command-line activity .

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| search Image="java.exe" ParentImage="webhelpdesk"
| table _time, ComputerName, User, ParentImage, Image, CommandLine

For Linux-based hosts, audit process creation logs via auditd. The following command can be used to watch for `java` executions from the webhelpdesk directory .

auditctl -w /usr/local/webhelpdesk -p wa -k webhelpdesk_process
ausearch -k webhelpdesk_process --format text

Network-level analytics should focus on outbound JNDI/LDAP connections, which are common for deserialization exploits. The following Snort rule can alert on potential exploitation traffic .

alert tcp $HOME_NET any -> $EXTERNAL_NET $PORT (msg:"SolarWinds WHD Potential JNDI Lookup"; content:"|16 2f|"; depth:2; byte_test:1, &, 0x80, 0, relative; content:"ldap://"; nocase; threshold:type limit, track by_src, seconds 60, count 1; sid:10000001; rev:1;)

How Exploit:

The attack chain begins with an unauthenticated request to establish a session and extract a Session ID and CSRF token . The attacker then bypasses CSRF protection by adding a fake parameter containing `/ajax/` to a request for the `LoginPref` component . This allows the creation of an `AjaxProxy` instance. The attacker then crafts a specific JSON-RPC request to the vulnerable endpoint, bypassing the blacklist by prefixing a whitelisted term (e.g., java.lang.ProcessBuilder) to a malicious JNDI payload . The final payload triggers a JNDI lookup to an attacker-controlled server, which returns a malicious Java class that executes arbitrary system commands . A proof-of-concept using a tool like Nuclei might look like this :

nuclei -t cves/2025/CVE-2025-40551.yaml -u https://target-victim.com

Protection from this CVE:

The primary protection is to immediately install the official hotfix, upgrading to SolarWinds Web Help Desk version 12.8.7 HF1 or higher . The hotfix replaces several JAR files and introduces a new one to properly remediate the deserialization flaw .

Example commands to apply hotfix on Linux
systemctl stop webhelpdesk
cd /usr/local/webhelpdesk/bin/webapps/helpdesk/WEB-INF/lib/
cp whd-core.jar /backup/
cp whd-web.jar /backup/
cp whd-persistence.jar /backup/
rm c3p0.jar
cp /path/to/hotfix/.jar .
systemctl start webhelpdesk

If immediate patching is not possible, restrict network access to the Web Help Desk application to trusted internal IPs only via firewall rules . Deploy and tune virtual patching or IPS signatures, such as SonicWall’s IPS 21895 and 21896, to detect and block exploitation attempts .

Impact:

Successful exploitation grants an unauthenticated attacker remote code execution on the host system with the privileges of the Web Help Desk application, which often runs with elevated rights . This allows attackers to install backdoors, steal credentials via LSASS access, deploy ransomware, and use the compromised host as a foothold for lateral movement across the network . In observed intrusions, attackers used this access to deploy legitimate RMM tools like ManageEngine, establish reverse SSH tunnels, and perform DCSync attacks to compromise entire domains . The vulnerability’s inclusion in CISA’s KEV catalog confirms its active exploitation in the wild, posing a significant risk to enterprise IT operations and critical infrastructure .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: www.cve.org
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top