CVE-2025-26399

CRITICAL KEV

SolarWinds Web Help Desk < 12.8.6 - Unauthenticated Remote Code Execution via AjaxProxy Deserialization

Title source: llm

Exploitation Summary

CVE-2025-26399 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 9, 2026. EIP tracks 1 public exploit from researchers including rxerium.

AI-analyzed exploit summary This repository provides a Nuclei template for detecting SolarWinds Web Help Desk instances vulnerable to CVE-2025-26399 by checking the version against a known vulnerable range. It does not include an exploit but aids in identification.

Description

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

Exploits (1)

nomisec SCANNER 2 stars

by rxerium · poc

https://github.com/rxerium/CVE-2025-26399

View Code ZIP pw:eip

This repository provides a Nuclei template for detecting SolarWinds Web Help Desk instances vulnerable to CVE-2025-26399 by checking the version against a known vulnerable range. It does not include an exploit but aids in identification.

Classification

Scanner 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: SolarWinds Web Help Desk < 12.8.7.0

No auth needed

Prerequisites: Access to the target's login page

MITRE ATT&CK

T1595 - Active Scanning

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399

Vendor Advisory

https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/

Release Notes

https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm

Patch, Vendor Advisory

https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399

Scores

CVSS v3 9.8

EPSS 0.3053

EPSS Percentile 96.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2026-03-09

VulnCheck KEV 2026-01-20

ENISA EUVD EUVD-2025-30842

CWE

CWE-502

Status published

Products (2)

solarwinds/web_help_desk 12.8.7

solarwinds/web_help_desk < 12.8.6

Published Sep 23, 2025

KEV Added Mar 09, 2026

Tracked Since Feb 18, 2026