Executive Summary
In September 2025, a critical vulnerability (CVE-2025-26399) was identified in SolarWinds Web Help Desk, allowing unauthenticated remote attackers to execute arbitrary code on affected systems. This flaw, rooted in insecure deserialization within the AjaxProxy component, enables attackers to run commands on the host machine without authentication. Despite previous patches for related vulnerabilities (CVE-2024-28986 and CVE-2024-28988), this issue persisted, leading to active exploitation in the wild. Organizations using versions up to 12.8.7 are at significant risk and should apply the latest hotfix immediately. The recurrence of such vulnerabilities underscores the importance of comprehensive security reviews and prompt patch management. As attackers increasingly exploit deserialization flaws, organizations must prioritize securing their software supply chains and implementing robust monitoring to detect and respond to such threats promptly.
Why This Matters Now
The active exploitation of CVE-2025-26399 highlights the urgency for organizations to apply the latest patches to prevent potential system compromises and data breaches.
Attack Path Analysis
An unauthenticated attacker exploited a deserialization vulnerability in SolarWinds Web Help Desk's AjaxProxy component to execute arbitrary code on the host system. This initial access allowed the attacker to escalate privileges, move laterally within the network, establish command and control channels, exfiltrate sensitive data, and potentially disrupt services or deploy ransomware.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited the deserialization vulnerability in the AjaxProxy component of SolarWinds Web Help Desk to execute arbitrary code on the host system without authentication.
Related CVEs
CVE-2025-26399
CVSS 9.8An unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk's AjaxProxy component due to insecure deserialization of untrusted data.
Affected Products:
SolarWinds Web Help Desk – <= 12.8.7
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Command and Scripting Interpreter: PowerShell
Valid Accounts
Impair Defenses: Downgrade Attack
Application Layer Protocol: Web Protocols
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity Management and Access Control
Control ID: Pillar 1: Identity
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical remote code execution vulnerability in SolarWinds Web Help Desk threatens IT infrastructure with unauthenticated network attacks requiring immediate patching and enhanced monitoring.
Government Administration
Active exploitation of CVE-2025-26399 poses severe risk to government systems using SolarWinds, enabling full compromise without authentication via insecure deserialization attacks.
Financial Services
Remote code execution vulnerability threatens financial institutions' help desk systems, risking compliance violations and data breaches through unauthenticated network-based exploitation.
Health Care / Life Sciences
Critical vulnerability in SolarWinds Web Help Desk exposes healthcare systems to remote attacks, threatening HIPAA compliance and patient data confidentiality integrity.
Sources
- CVE-2025-26399 SolarWinds Web Help Desk Overview and Takeawayshttps://www.netspi.com/blog/executive-blog/critical-vulnerability/cve-2025-26399-solarwinds-web-help-desk-overview-and-takeaways/Verified
- SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerabilityhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-26399Verified
- SolarWinds Security Advisory for CVE-2025-26399https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26399Verified
- CVE-2025-26399 - NVD Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-26399Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies. This would likely have reduced the attacker's reach and minimized the blast radius within the network.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While initial exploitation may still occur, Aviatrix CNSF would likely limit the attacker's ability to escalate privileges or move laterally by enforcing strict segmentation and identity-aware policies.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation would likely limit the attacker's ability to escalate privileges by enforcing least-privilege access controls and isolating workloads.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security would likely limit the attacker's lateral movement by enforcing strict segmentation and monitoring east-west traffic.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control would likely limit the attacker's ability to establish command and control channels by providing real-time monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement would likely limit data exfiltration by controlling and monitoring outbound traffic.
Aviatrix CNSF would likely reduce the scope of potential service disruptions or ransomware deployment by limiting the attacker's ability to propagate within the network.
Impact at a Glance
Affected Business Functions
- IT Service Management
- Asset Management
- Help Desk Operations
Estimated downtime: 7 days
Estimated loss: $50,000
Potential exposure of sensitive IT service management data, including user credentials and asset information.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict lateral movement and limit the attacker's ability to access critical systems.
- • Deploy Inline IPS (Suricata) to detect and prevent exploitation attempts targeting known vulnerabilities.
- • Utilize Egress Security & Policy Enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Ensure all systems are updated with the latest security patches to mitigate known vulnerabilities.
