SolarWinds has announced a third hotfix for a remote code execution (RCE) vulnerability affecting its Web Help Desk platform, underlining ongoing challenges in securing the product. The newly identified flaw, CVE-2025-26399 (CVSS score: 9.8), is an unauthenticated AjaxProxy deserialization issue that could allow attackers to execute commands on the host system.

According to SolarWinds, this vulnerability is a patch bypass of CVE-2024-28988, which itself bypassed the previous patch for CVE-2024-28986. The original bug, CVE-2024-28986, was a Java deserialization RCE exploited without authentication and required a hotfix in August 2024 shortly after its discovery.

A History of Patch Challenges

After the initial fix, SolarWinds released a second hotfix addressing CVE-2024-28987, which resolved issues with hardcoded credentials introduced during the first patch deployment. However, by mid-October 2024, the US cybersecurity agency CISA warned that these hardcoded credentials had already been exploited in attacks, prompting SolarWinds to issue a third hotfix that also addressed CVE-2024-28988, another critical AjaxProxy deserialization RCE.

The newly disclosed CVE-2025-26399 was identified by an anonymous security researcher collaborating with Trend Micro’s Zero Day Initiative (ZDI), and it represents SolarWinds’ latest effort to close this persistent security gap. While there are no confirmed reports of CVE-2024-28988 exploitation in the wild, experts caution that the critical severity of these vulnerabilities means prompt patching is essential.

Ryan Dewhurst, Head of Threat Intelligence at watchTowr, emphasizes that while active exploitation of CVE-2025-26399 has not been observed, “history suggests it’s only a matter of time” before attackers attempt to exploit such critical flaws.

Recommended Action

SolarWinds has released Web Help Desk 12.8.7 Hotfix 1 to address CVE-2025-26399. The hotfix includes detailed instructions for secure application and is strongly recommended for all users running affected versions.

Given the repeated patch bypasses and history of exploitation, organizations relying on Web Help Desk should apply the hotfix immediately, review their access controls, and monitor for any suspicious activity related to the vulnerability.

Source: https://www.securityweek.com/solarwinds-makes-third-attempt-at-patching-exploited-vulnerability