Emerging threats, such as SolarWinds, a household name within the IT and cybersecurity community. Important security announcement just now. The purpose of this release is to address an important vulnerability marked CVE-2025-26399. This flaw has a critical CVSS score of 9.8. This affects the function in SolarWinds Web Help Desk before 12.7.1019.0, where it allows remote attackers to execute arbitrary code on compromised installations without requiring user interaction or authentication. On September 17, 2025, the company released a public advisory. They explained the vulnerability and recommended users to patch the exploit as soon as possible.
This vulnerability lies in an AjaxProxy component of SolarWinds Web Help Desk, due to insufficient validation of data given by users. The attack This vulnerability can be exploited to trigger the deserialization of untrusted data. This sharedMounts vulnerability provides an attacker with arbitrary command execution capabilities on the host machine. This fails open, and a fix has been made available by SolarWinds in the form of an update to Web Help Desk version 12.8.7 HF1.
Previous Vulnerabilities and Patches
This is not the first time that SolarWinds has faced vulnerabilities of this kind. In 2024, two additional vulnerabilities were discovered and fixed—CVE-2024-28986 and CVE-2024-28988. Each case points to long-standing issues with security vulnerabilities in SolarWinds products.
Ryan Dewhurst, head of proactive threat intelligence at watchTowr, commented on the pattern of reoccurring vulns within SolarWinds software.
“Fast forward to 2024: an unauthenticated remote deserialization vulnerability (CVE-2024-28986) was patched… then patched again (CVE-2024-28988). And now, here we are with yet another patch (CVE-2025-26399) addressing the very same flaw.” – Ryan Dewhurst
Such patterns were enough to raise alarm bells across the cybersecurity community, considering the company’s recent history with supply chain attacks.
The Impact of the 2020 Supply Chain Attack
The 2020 supply chain attack against SolarWinds was a watershed moment for the cybersecurity industry. We previously noted that Russia’s Foreign Intelligence Service (SVR) committed a historically high impact incident. This vulnerability provided nefarious actors with continued access to hundreds of Western government departments, greatly undermining trust in software supply chains.
Thankfully, CVE-2025-26399 has not been exploited in the wild so far but it is important to remain vigilant. As the history of SolarWinds vulnerabilities reminds us, things can change with alarming speed. As highlighted by a recent analysis,
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Web Help Desk. Authentication is not required to exploit this vulnerability.” – ZDI advisory
Recommendations for Users
Upgrade your instances to SolarWinds Web Help Desk 12.8.7 HF1 as soon as possible! This should minimize risks that may be related to CVE-2025-26399. The positive spin to the proactive steps SolarWinds has taken in issuing this patch is that it shows they are serious about releasing security patches quickly.