SolarWinds has released a hotfix for a critical security flaw in its Web Help Desk (WHD) product that allows remote code execution (RCE) without authentication.
The vulnerability, tracked as CVE-2025-26399, impacts the latest WHD version 12.8.7 and was caused by unsafe deserialization handling in the AjaxProxy component. Successful exploitation would let an attacker run arbitrary commands on the host system.
According to SolarWinds, this issue is the third attempt to fix an earlier flaw (CVE-2024-28986) affecting WHD 12.8.3 and older versions. The company noted that CVE-2025-26399 is a patch bypass of CVE-2024-28988, which itself bypassed the original fix.
Last year, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the initial vulnerability was exploited in attacks and added it to its Known Exploited Vulnerabilities catalog.
The new bug was reported through the Trend Micro Zero Day Initiative (ZDI). While there are no reports of active exploitation yet, SolarWinds urges customers to apply the hotfix immediately.
The update requires installing Web Help Desk version 12.8.7 and replacing several JAR files with patched versions provided by SolarWinds. The hotfix can be downloaded from the SolarWinds Customer Portal, where detailed installation instructions are available.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
