CVE-2025-26399
published 2025-09-23CVE-2025-26399: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited…
PriorityP1100critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2026-03-12
Exploited in the wild
EPSS
88.33%
99.8th percentile
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | web_help_desk | <= 12.8.6 | — |
| solarwinds | web_help_desk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhxxps://github[.]com/cloudflare/cloudflared/releases/latest/download/cloudflared-windows-amd64.msi↗
commandSCHTASKS /CREATE /V1 /RU SYSTEM /SC ONSTART /F /TN "TPMProfiler" /TR "C:\Users\\tmp\qemu-system-x86_64.exe -m 1G -smp 1 -hda vault.db - device e1000,netdev=net0 -netdev user,id=net0,hostfwd=tcp::22022-:22"↗
registryHKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection /v DisableRealTimeMonitoring /t REG_DWORD /d 1↗
sigma↗
any where host.os.type == "windows" and ((event.category == "library" and process.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java.exe") and (dll.path : "\\Device\\Mup\\*" or dll.code_signature.trusted == false or ?dll.code_signature.exists == false)) or (event.category == "process" and process.name : ("cmd.exe", "powershell.exe", "rundll32.exe") and process.parent.executable : ("C:\\Program Files\\WebHelpDesk\\*\\java*.exe", "C:\\Program Files (x86)\\WebHelpDesk\\*\\java*.exe")))- →Detect DLL loads from UNC/network paths (\Device\Mup\*) or unsigned DLLs loaded by java.exe under the WebHelpDesk directory. ↗
- →Detect QEMU establishing SSH port forwarding on non-standard port 22022 (hostfwd=tcp::22022-:22), indicative of a covert SSH backdoor tunnel. ↗
- →Detect HTTP 406 responses from v2-api.mooo[.]com as a C2 failover trigger signal used to rotate Velociraptor infrastructure. ↗
- →Alert on registry modifications disabling Windows Defender and Windows Firewall (mpssvc Start=4, DisableAntiSpyware=1, DisableRealTimeMonitoring=1) executed in rapid succession — a consistent pattern in this campaign. ↗
- →Flag the presence of code.exe in C:\ProgramData\Microsoft\ — VS Code binary staged in an unusual path for use as a remote tunnel C2 channel. ↗
- →Detect NTDS.dit access or copying via shadow copy (vssuirun.exe) and SMB print command — used for credential dumping from domain controllers. ↗
- →Look for Velociraptor communicating outbound to Cloudflare Workers domains (*.workers.dev) — this is the primary C2 channel used in observed campaigns. ↗
- ·CVE-2025-26399 affects SolarWinds Web Help Desk 12.8.7 and ALL previous versions. It is a patch bypass of CVE-2024-28988, which itself was a patch bypass of CVE-2024-28986. Organizations on any version prior to the hotfix remain vulnerable. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vfrj-f292-3f24: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if expl
ghsa_unreviewed·2025-09-23·CVSS 9.8
CVE-2025-26399 [CRITICAL] CWE-502 GHSA-vfrj-f292-3f24: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if expl
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
VulnCheck
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-26399 [CRITICAL] CWE-502 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.
Affected: SolarWinds Web Help Desk
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-2025; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2026-03-12
VulnCheck
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
vulncheck·2025·CVSS 9.8
CVE-2025-40551 [CRITICAL] CWE-502 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication.
Affected: SolarWinds Web Help Desk
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.huntress.com/blog/active-exploitation-solarwinds-web-help-desk-cve-2025-26399; https://www.recordedfuture.com/blog/january-2026-cve-landscape
CISA
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
cisa·2026-03-09·CVSS 9.8
CVE-2025-26399 [CRITICAL] CWE-502 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Vulnerability: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Affected: SolarWinds Web Help Desk
SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399 ; https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htm ; https://nvd.nist.gov/vuln/detail/CVE-2025-26399
Remediation Due Date: 2026-03-12
No detection rules found.
Nuclei
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
nuclei·CVSS 9.8
CVE-2024-28986 [CRITICAL] SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
SolarWinds Web Help Desk before version 12.8.3 contain a critical Java deserialization vulnerability that enables remote code execution. Attackers can exploit this flaw to execute arbitrary commands on the host machine. Initially reported as unauthenticated, SolarWinds was unable to reproduce without authentication but still recommended immediate patching. With a CVSS score of 9.8, this vulnerability was discovered by Inmarsat Government researchers and added to CISA's Known Exploited Vulnerabilities Catalog due to active exploitation in the wild. The complete attack vector requires low complexity and has high impact on confidentiality, integrity, and availability. This vulnerability was later bypassed, leading to CVE-2024-28988
Bleepingcomputer
Payouts King ransomware uses QEMU VMs to bypass endpoint security
blogs_bleepingcomputer·2026-04-17
CVE-2025-26399 Payouts King ransomware uses QEMU VMs to bypass endpoint security
## Payouts King ransomware uses QEMU VMs to bypass endpoint security
## Bill Toulas
The Payouts King ransomware is using the QEMU emulator as a reverse SSH backdoor to run hidden virtual machines on compromised systems and bypass endpoint security.
QEMU is an open-source CPU emulator and system virtualization tool that allows users to run operating systems on a host computer as virtual machines (VMs).
Since security solutions on the host cannot scan inside the VMs, attackers can use them to execute payloads, store malicious files, and create covert remote access tunnels over SSH.
For these reasons, QEMU has been abused in past operations from multiple threat actors, including the 3AM ransomware group , LoudMiner cryptomining , and ‘CRON#TRAP’ phishing .
Researchers at cybersecurity c
Checkpoint
16th March – Threat Intelligence Report
blogs_checkpoint·2026-03-16
CVE-2025-26399 16th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locati
Checkpoint
2nd March – Threat Intelligence Report
blogs_checkpoint·2026-03-02
CVE-2025-59536 2nd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records f
Elastic
SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
blogs_elastic·2026-02-10·CVSS 9.8
[CRITICAL] SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
## SolarWinds Web Help Desk Exploitation - February 2026
Elastic Security detection and prevention capabilities for the recently-disclosed SolarWinds Web Help Desk vulnerabilities.
## Summary
On February 6, 2026, Microsoft reported the exploitation of SolarWinds Web Help Desk (WHD) servers
The exploitation facilitated multi-stage intrusions leveraging remote monitoring and management software (RMM), credential dumping, and setting up tunnels and RDP for persistent access
While not yet confirmed, the activity may be associated with one of the following disclosed CVEs: CVE-2025-26399 , CVE-2025-40536 , and CVE-2025-40551
Elastic Security Labs does not observe telemetry events related to this activity as of the date of this publication
Elastic Defend provides comprehensive visibility,
Elastic
SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
blogs_elastic·2026-02-10·CVSS 9.8
[CRITICAL] SolarWinds Web Help Desk Exploitation - February 2026 — Elastic Security Labs
10 February 2026•Elastic Security Labs
# SolarWinds Web Help Desk Exploitation - February 2026
Elastic Security detection and prevention capabilities for the recently-disclosed SolarWinds Web Help Desk vulnerabilities.
5 min readProduct Updates
## Summary
- On February 6, 2026, Microsoft reported the exploitation of SolarWinds Web Help Desk (WHD) servers
- The exploitation facilitated multi-stage intrusions leveraging remote monitoring and management software (RMM), credential dumping, and setting up tunnels and RDP for persistent access
- While not yet confirmed, the activity may be associated with one of the following disclosed CVEs: CVE-2025-26399, CVE-2025-40536, and CVE-2025-40551
- Elastic Security Labs does not observe telemetry events related to this activity as of the date of
Bleepingcomputer
Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks
blogs_bleepingcomputer·2026-02-09·CVSS 9.8
[CRITICAL] Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks
## Hackers exploit SolarWinds WHD flaws to deploy DFIR tool in attacks
## Bill Toulas
Hackers are exploiting SolarWinds Web Help Desk (WHD) vulnerabilities to deploy legitimate tools for malicious purposes, such as the Zoho ManageEngine remote monitoring and management tool.
The attacker targeted at least three organizations and also leveraged Cloudflare tunnels for persistence, and the Velociraptor cyber incident response tool for command and control (C2).
The malicious activity was spotted over the weekend by researchers at Huntress Security, who believe that it is part of a campaign that started on January 16 and leveraged recently disclosed SolarWinds WHD flaws.
“On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in
Huntress
Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
blogs_huntress·2026-02-08·CVSS 9.8
[CRITICAL] Active Exploitation of SolarWinds Web Help Desk (CVE-2025-26399)
Acknowledgments: Special thanks to Dipo Rodipe, Dray Agha, and Lindon Wass for their contributions to this investigation and write-up.
TL;DR : Huntress has observed threat actors exploiting SolarWinds Web Help Desk vulnerability across 3 customers; organizations should apply the update from SolarWinds’ website as soon as possible.
## Background
On February 7, 2026, Huntress SOC analyst Dipo Rodipe investigated a case of SolarWinds Web Help Desk exploitation, in which the threat actor rapidly deployed Zoho Meetings and Cloudflare tunnels for persistence, as well as Velociraptor for means of command and control.
This intrusion stemmed from the many recently disclosed vulnerabilities affecting SolarWinds WHD. The most critical vulnerabilities grant an adversary arbitrary code execution vi
Bleepingcomputer
SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
blogs_bleepingcomputer·2026-01-28·CVSS 9.8
CVE-2025-40552 [CRITICAL] SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## Sergiu Gatlan
SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software.
The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554 ) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks.
Bazydlo also found and reported a critical remote code execution (RCE) flaw ( CVE-2025-40553 ) stemming from an untrusted data deserialization weakness that can enable attackers without privileges to run commands on vulnerable hosts.
A second RCE vulnerability ( CVE-2025-40551 ) reported by
Checkpoint
29th September – Threat Intelligence Report
blogs_checkpoint·2025-09-29
CVE-2025-26399 29th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Stellantis, Automotive maker giant which owns Citroën, FIAT, Jeep, Chrysler, and Peugeot, has suffered a data breach that resulted in exposure of North American customer contact information after attackers accessed a third-party platform tied to its Salesforce environment. ShinyHunters threat actor claims responsibili
Bleepingcomputer
SolarWinds releases third patch to fix Web Help Desk RCE bug
blogs_bleepingcomputer·2025-09-23·CVSS 9.8
CVE-2025-26399 [CRITICAL] SolarWinds releases third patch to fix Web Help Desk RCE bug
## SolarWinds releases third patch to fix Web Help Desk RCE bug
## Bill Toulas
SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication.
Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions.
SolarWinds WHD is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance.
CVE-2025-26399 affects the latest WHD version 12.8.7 and is caused by unsafe deserialization handling in the AjaxProxy component. Successful exploitation allows an unauthenticat
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_12-8-7-hotfix-1_release_notes.htmhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399https://www.microsoft.com/en-us/security/blog/2026/02/06/active-exploitation-solarwinds-web-help-desk/
2025-09-23
Published
2026-03-09
Added to CISA KEV
Exploited in the wild