SolarWinds Web Help Desk flaw added to CISA KEV after active exploitation

Admins using SolarWinds Web Help Desk need to patch now. A critical remote code execution flaw, tracked as CVE-2025-26399, has been added to CISA’s Known Exploited Vulnerabilities catalog after confirmed in-the-wild abuse, which means attackers have already used it in real environments.

The bug affects the AjaxProxy component in SolarWinds Web Help Desk and stems from deserialization of untrusted data. In practical terms, an attacker can send crafted data to a vulnerable internet-facing server and execute commands on the host without authentication. NVD lists the issue as critical with a CVSS 3.1 base score of 9.8.

This is not just another theoretical flaw. Microsoft said it observed active exploitation of exposed SolarWinds Web Help Desk instances in multi-stage intrusions that moved from initial access to lateral movement and, in some cases, domain-level abuse. Microsoft also noted that investigators could not always tie each intrusion to one exact CVE because some systems were exposed to multiple Web Help Desk flaws at the same time, but CVE-2025-26399 is among the vulnerabilities under active review.

For federal civilian agencies in the US, the timeline was especially tight. CISA added CVE-2025-26399 to the KEV catalog on March 9, 2026, and set a remediation due date of March 12, 2026, under Binding Operational Directive 22-01. The required action says agencies must apply mitigations per vendor instructions, follow cloud-service guidance where relevant, or discontinue use of the product if mitigations are unavailable.

SolarWinds already released a fix. The company’s documentation says Web Help Desk 12.8.7 Hotfix 1 provides bug fixes for CVE-2025-26399, and customers that installed 12.8.7 should also install Hotfix 1. SolarWinds describes the vulnerability as an unauthenticated AjaxProxy deserialization remote code execution issue and says it is a patch bypass of CVE-2024-28988, which itself was a patch bypass of CVE-2024-28986.

The bigger concern is exposure. Microsoft’s guidance says organizations should patch, restrict exposure, remove public access to admin paths, increase logging on Ajax Proxy, and isolate compromised hosts. The company also warned that attackers in observed incidents used PowerShell, BITS, reverse SSH, RDP, and legitimate remote management tools after exploitation.

What CVE-2025-26399 means

Deserialization flaws happen when software accepts data, rebuilds it into objects, and trusts that input too much. In this case, the weakness gives attackers a path to run arbitrary commands on the server hosting SolarWinds Web Help Desk. Since the issue does not require authentication, exposed systems face the highest risk.

Why this matters now

CISA does not add bugs to the KEV catalog lightly. When a vulnerability lands there, security teams should treat it as an immediate operational problem rather than a routine patch item. That matters even more here because Microsoft has already linked exposed Web Help Desk deployments to hands-on-keyboard post-exploitation activity.

At-a-glance breakdown

What admins should do right away

• Patch SolarWinds Web Help Desk to 12.8.7 Hotfix 1 if you still run the affected branch.
• Remove or restrict internet exposure for Web Help Desk, especially admin paths.
• Review logs for suspicious command execution, PowerShell activity, BITS usage, reverse SSH, unexpected RDP, and newly installed remote management tools.
• Rotate credentials and isolate affected hosts if you find signs of compromise.
• Consider discontinuing use of the product if you cannot apply vendor mitigations.

FAQ