CVE-2025-26399

What is SolarWinds Web Help Desk?

SolarWinds Web Help Desk (WHD) is an IT service management and help desk ticketing platform used by organizations to manage IT support workflows, asset inventory, and change management. As an IT operations platform, WHD integrates with Active Directory, LDAP, and internal systems, giving it privileged access to organizational IT data. SolarWinds products have been a recurring high-profile target since the 2020 SUNBURST supply chain attack. This is the third iteration of the same AjaxProxy deserialization vulnerability class in WHD: CVE-2024-28986 → CVE-2024-28988 → CVE-2025-26399, each being a bypass of the previous patch.

Overview

CVE-2025-26399 is a critical pre-authentication Java deserialization vulnerability (CWE-502, CVSS 9.8) in SolarWinds Web Help Desk's AjaxProxy component — the third bypass of the same underlying deserialization flaw. Prior patches blocked deserialization only when the request URI contained the string "ajax"; this bypass omits the /ajax/ path segment, causing the sanitization check to be skipped entirely. An unauthenticated attacker sends a crafted HTTP request containing a malicious serialized Java object, achieving arbitrary OS command execution as the WHD service account. Attackers chained CVE-2025-26399 with CVE-2025-40551 (a fourth iteration, January 2026) in Warlock ransomware deployments. CISA issued a 3-day federal remediation deadline.

Affected Versions

Note: The HF1 applies only to WHD 12.8.7. Organizations on older versions must first upgrade to 12.8.7, then apply HF1. Alternatively, upgrade to WHD 2026.1 (which also addresses CVE-2025-40551).

Technical Details

The vulnerability (CWE-502) is the third bypass of the same root-cause issue in WHD's AjaxProxy component: it uses the jabsorb JSON-RPC library to dynamically invoke server-side Java components based on the request URI. Prior patches added a string check: if the URI contains "ajax," apply deserialization filtering. This bypass sends requests to the functionally equivalent wo (WebObjects) handler path — which lacks the "ajax" string — so the filter never activates. The jabsorb library then deserializes the malicious payload without validation.

The vulnerability is structurally identical to CVE-2025-40551 (the fourth iteration, disclosed January 2026), differing in the specific URI path used to bypass the sanitization check. Attackers routinely chained both CVEs in the same intrusions.

Discovery

No specific external researcher credited publicly. SecurityWeek noted the flaws may have been exploited as zero-days prior to the September 2025 disclosure.

Exploitation Context

Confirmed active exploitation. Huntress observed attacks against customer WHD instances. Microsoft Security Blog (February 2026) documented the full attack chain. CISA added CVE-2025-26399 to the KEV catalog on 9 March 2026 with a 3-day remediation deadline (12 March 2026) — reflecting the severity and ongoing exploitation in multi-CVE chains. Attributed to operators linked to Warlock ransomware, who chained CVE-2025-26399 + CVE-2025-40551 + older WHD vulnerabilities in multi-stage intrusions. Post-exploitation payloads: Velociraptor (legitimate DFIR tool repurposed as C2 tunnel) followed by Warlock ransomware as the final payload.

Remediation

1. Apply WHD 12.8.7 Hotfix 1 immediately (for 12.8.7 users). Customers on older versions must upgrade to 12.8.7 first, then apply HF1.
2. Alternatively, upgrade directly to WHD 2026.1 — this addresses both CVE-2025-26399 and the related CVE-2025-40551 in a single update.
3. Restrict WHD network access: apply firewall rules to limit HTTPS access to WHD to trusted internal networks only — WHD should never be internet-accessible.
4. Hunt for Velociraptor: check for unexpected Velociraptor agent installations or network connections on the WHD server and related systems.
5. Review WHD AjaxProxy logs for unexpected POST requests that omit the /ajax/ path segment — these are indicators of CVE-2025-26399 exploitation attempts.
6. Rotate all credentials stored or accessible via WHD: Active Directory service accounts, SMTP relay credentials, API integrations.