CVE-2024-28988
published 2025-09-01CVE-2024-28988: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker…
PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.62%
98.3th percentile
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research.
We recommend all Web Help Desk customers apply the patch, which is now available.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | web_help_desk | <= 12.8.6 | — |
| solarwinds | web_help_desk | <= 12.8.2 | — |
| solarwinds | web_help_desk | — | — |
| solarwinds | web_help_desk | — | — |
| solarwinds | web_help_desk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/helpdesk/WebObjects/Helpdesk.woa
otherhttp.favicon.hash:"1895809524"
- →Detect vulnerable SolarWinds Web Help Desk instances by requesting the Helpdesk.woa endpoint and matching version strings below 12.8.3.0 extracted from the build token query parameter pattern.
- →Match HTTP response body for SolarWinds WHD-specific strings to confirm product presence before version-checking.
- →Use Shodan favicon hash to identify exposed SolarWinds Web Help Desk instances on the internet.
- →CVE-2024-28988 is a patch bypass of CVE-2024-28986, targeting unsafe deserialization in the AjaxProxy component; monitor for unauthenticated POST requests to AjaxProxy endpoints on WHD servers. ↗
- ·The vulnerability was initially reported as unauthenticated, but SolarWinds was unable to reproduce it without authentication; exploitation requirements may vary.
- ·CVE-2024-28988 is itself a patch bypass of CVE-2024-28986, and was subsequently bypassed again by CVE-2025-26399; patching to 12.8.3 or 12.8.7 alone may not be sufficient without applying the latest hotfix. ↗
- ·The hotfix for the latest bypass (CVE-2025-26399) requires WHD version 12.8.7 to be installed first before applying the hotfix JARs. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3mr8-x6wp-2wc6: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an
ghsa_unreviewed·2025-11-15
CVE-2024-28988 [CRITICAL] CWE-502 GHSA-3mr8-x6wp-2wc6: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research.
We recommend all Web Help Desk customers apply the patch, which is now available.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
GHSA
GHSA-vfrj-f292-3f24: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if expl
ghsa_unreviewed·2025-09-23·CVSS 9.8
CVE-2025-26399 [CRITICAL] CWE-502 GHSA-vfrj-f292-3f24: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if expl
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
No detection rules found.
Nuclei
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
nuclei·CVSS 9.8
CVE-2024-28986 [CRITICAL] SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
SolarWinds Web Help Desk before version 12.8.3 contain a critical Java deserialization vulnerability that enables remote code execution. Attackers can exploit this flaw to execute arbitrary commands on the host machine. Initially reported as unauthenticated, SolarWinds was unable to reproduce without authentication but still recommended immediate patching. With a CVSS score of 9.8, this vulnerability was discovered by Inmarsat Government researchers and added to CISA's Known Exploited Vulnerabilities Catalog due to active exploitation in the wild. The complete attack vector requires low complexity and has high impact on confidentiality, integrity, and availability. This vulnerability was later bypassed, leading to CVE-2024-28988
Checkpoint
16th March – Threat Intelligence Report
blogs_checkpoint·2026-03-16
CVE-2025-26399 16th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locati
Checkpoint
2nd March – Threat Intelligence Report
blogs_checkpoint·2026-03-02
CVE-2025-59536 2nd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records f
Bleepingcomputer
SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
blogs_bleepingcomputer·2026-01-28·CVSS 9.8
CVE-2025-40552 [CRITICAL] SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## Sergiu Gatlan
SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software.
The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554 ) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks.
Bazydlo also found and reported a critical remote code execution (RCE) flaw ( CVE-2025-40553 ) stemming from an untrusted data deserialization weakness that can enable attackers without privileges to run commands on vulnerable hosts.
A second RCE vulnerability ( CVE-2025-40551 ) reported by
Bleepingcomputer
SolarWinds releases third patch to fix Web Help Desk RCE bug
blogs_bleepingcomputer·2025-09-23·CVSS 9.8
CVE-2025-26399 [CRITICAL] SolarWinds releases third patch to fix Web Help Desk RCE bug
## SolarWinds releases third patch to fix Web Help Desk RCE bug
## Bill Toulas
SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication.
Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions.
SolarWinds WHD is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance.
CVE-2025-26399 affects the latest WHD version 12.8.7 and is caused by unsafe deserialization handling in the AjaxProxy component. Successful exploitation allows an unauthenticat
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2025-09-01
Published