Key Takeaway
CVE-2025-26399 is an unauthenticated remote code execution vulnerability in the AjaxProxy component of SolarWinds Web Help Desk, caused by deserialization of untrusted data without validation. An attacker with network access to the application can execute arbitrary commands on the host server. CISA has added this CVE to the Known Exploited Vulnerabilities catalog, mandating federal agency remediation by March 12, 2026.
CVE-2025-26399: SolarWinds Web Help Desk AjaxProxy Deserialization Flaw Enables Remote Code Execution
CVE ID: CVE-2025-26399 Vendor: SolarWinds Product: Web Help Desk Vulnerability Type: Deserialization of Untrusted Data (CWE-502) Attack Vector: Network CISA KEV Patch Deadline: March 12, 2026 (federal agencies)
Vulnerability Overview
CVE-2025-26399 is a deserialization of untrusted data vulnerability residing in the AjaxProxy component of SolarWinds Web Help Desk. The flaw exists because the AjaxProxy endpoint accepts and deserializes user-supplied data without sufficient validation or integrity checks. An unauthenticated remote attacker can send a crafted serialized payload to the affected endpoint and trigger arbitrary command execution on the underlying host operating system.
Deserialization vulnerabilities of this class are consistently high-severity because exploitation does not require valid credentials. The attack surface is the network interface exposed by Web Help Desk — any system capable of reaching the application can attempt exploitation.
Technical Details
The AjaxProxy component in SolarWinds Web Help Desk processes serialized Java objects as part of its request handling. When attacker-controlled serialized data reaches the deserialization routine without type filtering or cryptographic signing, the runtime can be manipulated into executing arbitrary code via gadget chains present in the application's classpath.
This class of vulnerability follows a well-documented exploitation pattern. Attackers submit a malicious serialized object — typically constructed using tooling such as ysoserial — to the vulnerable endpoint, commonly reachable at paths like /webapp/ajaxproxy. Upon deserialization, the gadget chain executes OS-level commands under the privileges of the Web Help Desk service account.
Successful exploitation yields:
- Remote code execution on the Web Help Desk server
- Full system compromise if the service runs with elevated privileges
- Lateral movement into internal network segments reachable from the Help Desk host
- Credential harvesting from the application database, which may contain service account passwords, API keys, and ticketing system integrations
SolarWinds Web Help Desk is commonly deployed with broad internal network access and integrations to Active Directory, LDAP, and ITSM workflows. A compromised instance provides an attacker with a high-value pivot point.
Real-World Impact
SolarWinds products have been targeted in high-profile intrusion campaigns. The Orion supply chain attack attributed to APT29 (Cozy Bear) demonstrated that SolarWinds infrastructure represents a prioritized target for sophisticated threat actors seeking persistent access to enterprise and government networks.
CVE-2025-26399 affects organizations running Web Help Desk in on-premises deployments — including federal agencies, managed service providers, and enterprises that rely on the platform for IT ticketing and asset management. CISA's inclusion of this CVE in the Known Exploited Vulnerabilities (KEV) catalog signals that exploitation activity has been observed or is assessed as highly probable, triggering the mandatory March 12, 2026 remediation deadline for Federal Civilian Executive Branch (FCEB) agencies.
Beyond the federal sector, any organization running an internet-exposed or internally accessible Web Help Desk instance without network-level controls is at material risk. The unauthenticated nature of this vulnerability eliminates the access barrier that typically limits exploitation to post-compromise stages.
Patching and Mitigation Guidance
1. Apply the vendor patch immediately. Check SolarWinds advisory SWDS-2025-001 and the Web Help Desk update portal for the patched release. Prioritize patching over all other mitigations — compensating controls do not eliminate the underlying flaw.
2. Enumerate all Web Help Desk instances. Use asset discovery tooling, CMDB records, and network scanning to identify every instance in your environment, including shadow IT deployments and instances managed by subsidiaries or MSP partners.
3. Restrict network access pending patching. Apply firewall rules or network ACLs to limit inbound connections to Web Help Desk to trusted IP ranges only. Remove any internet-facing exposure immediately. Web Help Desk does not require public internet access in most deployment scenarios.
4. Monitor AjaxProxy endpoints for exploitation attempts.
Deploy detection rules targeting POST requests to /webapp/ajaxproxy and similar paths. Flag requests containing Java serialized object magic bytes (AC ED 00 05 in hex) or Base64-encoded payloads in request bodies. Forward relevant logs to your SIEM for correlation.
5. Review recent authentication and process execution logs. Examine Web Help Desk server logs for anomalous child process spawning from the application service, unexpected outbound network connections, and unusual authentication events in Active Directory tied to the service account used by Web Help Desk.
6. Audit service account privileges. If the Web Help Desk service account holds domain or local administrator rights, scope those privileges down to the minimum required for operation. This limits post-exploitation blast radius if the vulnerability has already been used against your environment.
Federal agencies must treat the March 12, 2026 CISA deadline as a hard cutoff, but all organizations should treat this as an emergency-priority patch given the unauthenticated remote code execution potential.
Original Source
CISA KEV
Related Articles
CVE Pending: Critical Vulnerability in Anthropic's Claude Code Discovered Days After Source Code Leak
Adversa AI discovered a critical vulnerability in Anthropic's Claude Code agentic coding assistant within days of Anthropic accidentally leaking the product's source code. Claude Code operates with elevated system privileges in developer environments, making exploitation potentially severe — including credential theft, CI/CD pipeline manipulation, and lateral movement. Organizations should audit deployments, rotate credentials, and apply patches immediately once Anthropic releases a fix.
CVE-2024-6387: OpenSSH regreSSHion RCE Flaw Exposes Millions of Linux Servers to Unauthenticated Root Access
CVE-2024-6387 (regreSSHion) is a signal handler race condition in OpenSSH sshd versions 8.5p1 through 9.7p1 that allows unauthenticated remote code execution as root. Discovered by Qualys, the flaw affects an estimated 700,000 publicly exposed servers. Administrators should upgrade to OpenSSH 9.8p1 immediately or set LoginGraceTime 0 as a temporary workaround.
Apple Expands DarkSword Exploit Kit Mitigations Across Device Fleet After State-Sponsored and Spyware Vendor Abuse
Apple has expanded mitigations against the DarkSword exploit kit to additional devices after the toolkit was used in operations by state-sponsored threat groups and commercial spyware vendors. The expansion follows Apple's standard model of phased protection rollouts across its device ecosystem. All Apple device owners should apply the latest OS updates immediately, and high-risk individuals should enable Lockdown Mode.
CVE-2026-20093: Critical Cisco IMC Authentication Bypass Carries CVSS 9.8
Cisco has patched CVE-2026-20093, a critical authentication bypass vulnerability in the Cisco Integrated Management Controller (IMC) with a CVSS score of 9.8. An unauthenticated remote attacker can exploit the flaw to bypass authentication and gain elevated privileges over affected hardware management interfaces. Administrators should apply Cisco's patch immediately and restrict IMC network access to isolated management VLANs.