cbcvebase.
CVE-2025-26399
published 2025-09-23

CVE-2025-26399: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited…

PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-03-12
Exploited in the wild
EPSS
88.33%
99.8th percentile
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindsweb_help_desk<= 12.8.6
solarwindsweb_help_desk

Detection & IOCsextracted from sources · hover to see the quote

urlhxxps://files.catbox[.]moe/tmp9fc.msi
urlhxxps://vdfccjpnedujhrzscjtq.supabase[.]co/storage/v1/object/public/image/v4.msi
urlhxxps://github[.]com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi
domainvdfccjpnedujhrzscjtq.supabase[.]co
domainauth.qgtxtebl.workers[.]dev
domainv2-api.mooo[.]com
otheresmahyft@proton[.]me
commandSCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR "C:\Users\\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db - device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"
registryHKLM\SYSTEM\CurrentControlSet\Services\mpssvc /v Start /t REG_DWORD /d 4
registryHKLM\SOFTWARE\Policies\Microsoft\Windows Defender /v DisableAntiSpyware /t REG_DWORD /d 1
registryHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealTimeMonitoring /t REG_DWORD /d 1
pathC:\ProgramData\Microsoft\code.exe
pathC:\Program Files\Velociraptor\Velociraptor.exe
pathC:\Program Files\WebHelpDesk\
pathC:\Program Files\WebHelpDesk\version.txt
port22022
versionVelociraptor 0.73.4
filenamevault.db
processTOOLSIQ.EXE
sigma
any where host.os.type == "windows" and ((event.category == "library" and process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and (dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or (event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe")))
  • Detect DLL loads from UNC/network paths (\Device\Mup\*) or unsigned DLLs loaded by java.exe under the WebHelpDesk directory.
  • Detect QEMU establishing SSH port forwarding on non-standard port 22022 (hostfwd=tcp::22022-:22), indicative of a covert SSH backdoor tunnel.
  • Detect HTTP 406 responses from v2-api.mooo[.]com as a C2 failover trigger signal used to rotate Velociraptor infrastructure.
  • Alert on registry modifications disabling Windows Defender and Windows Firewall (mpssvc Start=4, DisableAntiSpyware=1, DisableRealTimeMonitoring=1) executed in rapid succession — a consistent pattern in this campaign.
  • Flag the presence of code.exe in C:\ProgramData\Microsoft\ — VS Code binary staged in an unusual path for use as a remote tunnel C2 channel.
  • Detect NTDS.dit access or copying via shadow copy (vssuirun.exe) and SMB print command — used for credential dumping from domain controllers.
  • Look for Velociraptor communicating outbound to Cloudflare Workers domains (*.workers.dev) — this is the primary C2 channel used in observed campaigns.
  • ·CVE-2025-26399 affects SolarWinds Web Help Desk 12.8.7 and ALL previous versions. It is a patch bypass of CVE-2024-28988, which itself was a patch bypass of CVE-2024-28986. Organizations on any version prior to the hotfix remain vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.