Business Cybersecurity Newswire Technology

SolarWinds Issues Urgent Patch for Critical Web Help Desk Flaw

September 24, 2025Last Updated: September 24, 2025

2 minutes read

▼ Summary

– SolarWinds has released a hotfix for a critical, unauthenticated remote code execution vulnerability (CVE-2025-26399) in its Web Help Desk software.
– This new flaw is the third patch bypass for an older vulnerability (CVE-2024-28986) and affects the latest Web Help Desk version 12.8.7.
– The vulnerability stems from unsafe deserialization in the AjaxProxy component, allowing attackers to run commands on the host machine.
– The original vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog after being used in attacks, but the new flaw is not yet reported as exploited.
– The hotfix requires specific file replacements and is available exclusively through the SolarWinds Customer Portal.

SolarWinds has issued an urgent hotfix to resolve a critical security vulnerability in its Web Help Desk software. This flaw, designated CVE-2025-26399, enables remote code execution without requiring any authentication, posing a severe risk to affected systems. The company’s Web Help Desk is a widely used platform for managing IT support tickets, automating workflows, and handling asset management, particularly within medium and large enterprises.

This newly identified vulnerability represents the third iteration of a security weakness originally tracked as CVE-2024-28986. It specifically impacts the latest version of the software, Web Help Desk 12.8.7. The root cause lies in unsafe deserialization within the AjaxProxy component. Exploiting this flaw allows an attacker with no login credentials to execute arbitrary commands directly on the underlying server. SolarWinds has explicitly stated that this latest issue is a patch bypass for a previous fix, CVE-2024-28988, which itself was a bypass for the initial vulnerability.

The original flaw from last year was considered serious enough to be added by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities catalog, confirming its active use in real-world attacks. The new vulnerability was responsibly disclosed to SolarWinds by researchers from the Trend Micro Zero Day Initiative (ZDI). Fortunately, there are currently no public reports of this specific flaw being exploited in the wild.

A hotfix is now available to address CVE-2025-26399. To apply the update, administrators must first stop the Web Help Desk service. The next step involves navigating to the `/bin/webapps/helpdesk/WEB-INF/lib/` directory, where the path prefix varies by operating system. It is crucial to back up and then delete the file `c3p0.jar`. Additionally, the files `whd-core.jar`, `whd-web.jar`, and `whd-persistence.jar` should be backed up to a separate location. The hotfix involves copying new, patched versions of these three JAR files into the `/lib` directory, overwriting the old ones, and also adding a new file called `HikariCP.jar`. After these files are in place, the Web Help Desk service can be restarted to complete the update.

This critical patch is available exclusively through the SolarWinds Customer Portal. System administrators are strongly encouraged to apply this fix immediately to protect their environments from potential compromise.

(Source: Bleeping Computer)