Threat Advisory

SolarWinds Web Help Desk Vulnerabilities Allow Remote Command Execution

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: Critical


EXECUTIVE SUMMARY:

SolarWinds Web Help Desk is affected by an unauthenticated AjaxProxy deserialization vulnerability that allows remote attackers to execute arbitrary commands on the underlying server, effectively enabling full system compromise if exposed to untrusted networks. This issue is a patch-bypass instance that undermines earlier fixes and highlights the continued risk of deserialization flaws in exposed service components; SolarWinds has released a hotfix for Web Help Desk. Administrators should immediately stop Web Help Desk, back up and replace the affected JAR files with those supplied in the hotfix and restart the service. Additionally, organizations should ensure instances are not directly internet-facing, apply network segmentation and layered defenses, and verify the hotfix installation across all exposed instances.

  • CVE-2025-26399: It is a unauthenticated AjaxProxy deserialization vulnerability in SolarWinds Web Help Desk that allows remote attackers to execute arbitrary commands on the server. Exploitation of this flaw can occur without valid credentials, making exposed instances highly vulnerable. Successful attacks could lead to full system compromise and unauthorized access to sensitive data.  The vulnerability has a CVSS score of 9.8.
  • CVE-2024-28988: It is a deserialization vulnerability in SolarWinds Web Help Desk that allows unauthenticated remote attackers to execute arbitrary commands on the server, potentially leading to full system compromise. Successful exploitation could allow attackers to bypass existing security controls and gain administrative access. The vulnerability has a CVSS score of 9.8.

RECOMMENDATION:

  • We strongly recommend you update SolarWinds Web Help Desk to version 12.8.7 Hotfix 1.

 

REFERENCES:

The following reports contain further technical details:

crossmenu