theinfosecnews
theinfosecnews
Subscribe to Daily Digest

CVE-2025-26399

CISA KEV

Published March 9, 2026 · Updated April 3, 2026

high

What This Means

**CVE-2025-26399: SolarWinds Web Help Desk Remote Code Execution** SolarWinds Web Help Desk's AjaxProxy component deserializes untrusted data without validation, allowing unauthenticated attackers to execute arbitrary code on affected servers. An attacker can exploit this to gain full system compromise and lateral movement within your environment. **Action Items:** - Identify all Web Help Desk instances in your environment immediately using asset discovery tools. - Apply SolarWinds security patches for this vulnerability as they become available; check SolarWinds advisory SWDS-2025-001 or your instance's update portal. - Until patching, restrict network access to Web Help Desk to trusted IP ranges and monitor AjaxProxy endpoints for POST requests with serialized payloads. - Review authentication logs and network telemetry for exploitation attempts targeting /webapp/ajaxproxy or similar endpoints.

Official Description+

SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.

Affected Products

VendorProduct
SolarWindsWeb Help Desk

Patch Status

Patch by 2026-03-12

Recommended Actions

  1. Check if your systems use any of the affected products listed above.
  2. Apply vendor patches immediately if available.
  3. This vulnerability is in CISA's Known Exploited Vulnerabilities catalog — prioritize remediation.
  4. Monitor vendor advisories for updates and additional mitigations.
  5. Review logs for indicators of compromise related to CVE-2025-26399.

Related Coverage

Vvulnerability

CVE-2025-26399: SolarWinds Web Help Desk AjaxProxy Deserialization Flaw Enables Remote Code Execution

CVE-2025-26399 is an unauthenticated remote code execution vulnerability in the AjaxProxy component of SolarWinds Web Help Desk, caused by deserialization of untrusted data without validation. An attacker with network access to the application can execute arbitrary commands on the host server. CISA has added this CVE to the Known Exploited Vulnerabilities catalog, mandating federal agency remediation by March 12, 2026.

CISA KEV·25d ago·3 min read