About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
CVSS Score: 9.8 (Critical)
Identifier: CVE-2025-26399
Exploit or Proof of Concept (PoC): No known active exploitation yet; vulnerability has been patched.
Update: CVE-2025-26399 – SolarWinds Security Advisory
Description:
CVE-2025-26399 is a critical remote code execution vulnerability in SolarWinds Web Help Desk (WHD) up to version 12.8.7. It involves unauthenticated deserialization of user-supplied data via the AjaxProxy component. An attacker exploiting this flaw could run arbitrary commands on the host machine with SYSTEM-level privileges. This issue is a patch bypass of previous RCE fixes (CVE-2024-28988, which itself bypassed CVE-2024-28986) that WHD had addressed.
Mitigation Recommendation:
Immediately apply the hotfix SolarWinds released in version 12.8.7 HF1. Prior to patching, restrict access to WHD by limiting network exposure and isolating instances from untrusted networks.
Remove or replace outdated JAR files in the WHD installation (e.g., c3p0.jar) with patched versions, and verify integrity of whd-core.jar, whd-web.jar, and whd-persistence.jar.
Monitor logs for anomalous requests to AjaxProxy endpoints and any unexpected command execution actions.
Validate instances have been updated and conduct periodic audits.