CVE-2025-26399 SolarWinds Web Help Desk Overview and Takeaways
A critical vulnerability (CVE-2025-26399) has been identified in SolarWinds Web Help Desk, which allows unauthenticated remote attackers to execute arbitrary code on affected systems. Although CVE-2025-26399 was originally disclosed in 2025, recent reports confirm this vulnerability is now being actively exploited in the wild. This development significantly elevates the risk to impacted environments. Immediate remediation is required to prevent compromise.
What do I need to know?
- CVE ID: CVE-2025-26399
- Severity: Critical (CVSS 3.1 Score: 9.8)
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Impact: Full compromise of confidentiality, integrity, and availability
- Root Cause: Insecure deserialization of Untrusted Data (CWE-502) in the AjaxProxy component
Products & Systems Affected
- Earliest Patched Version:
12.8.7 Hotfix 1
- Exploit Status:
Actively exploited; listed in CISA’s Known Exploited Vulnerabilities Catalog
- Related CVEs:
CVE-2025-26399 is a bypass of patches for CVE-2024-28988 and CVE-2024-28986
What do I need to do?
We recommend the following steps to identify and remediate this vulnerability:
- Apply the vendor patch:
- Upgrade to SolarWinds Web Help Desk 12.8.7 Hotfix 1, or newer, immediately.
- SolarWinds Advisory & Patch Download
- If patching is not immediately possible:
- Restrict network access to the Web Help Desk server.
- Monitor for suspicious activity, including unexpected process execution and outbound connections.
- Audit and Monitor:
- Review logs for signs of exploitation attempts.
- Implement additional endpoint detection and response (EDR) monitoring for anomalous behavior.
NetSPI Product and Services Coverage
NetSPI’s External Attack Surface Management is issuing a version-based detection for this CVE, which will present as: Vulnerable Version – SolarWinds Web Help Desk Insecure Deserialization (CVE-2025-26399).
NetSPI’s Penetration Testing Services can also help identify exposure to this vulnerability.
Explore More Blog Posts
Scaling Security with Modern PTaaS: Gartner Report Insights
Discover Gartner® 2025 insights on how PTaaS scales security with continuous validation, automation, and real-time remediation, and how NetSPI can help.
Why Continuous Testing is the New Standard for Modern Security
NetSPI's continuous pentesting delivers regular, tailored assessments across critical assets, customized to your organization's risk profile and operational cadence to ensure coverage where it matters most. These services are delivered through NetSPI’s leading PTaaS platform using existing workflows.
CVE-2026-0300 Palo Alto Networks PAN-OS Buffer Overflow Overview & Takeaways
Palo Alto Networks has disclosed a critical zero-day vulnerability in PAN-OS, tracked as CVE-2026-0300, affecting PA-Series and VM-Series firewalls with the User-ID Authentication Portal (Captive Portal) enabled. The flaw is a pre-authentication buffer overflow that allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on affected devices.