A critical remote code execution vulnerability has been identified in SolarWinds Web Help Desk, designated CVE-2025-26399. This flaw allows an unauthenticated attacker to execute arbitrary commands on the server, potentially leading to a complete system compromise. Due to the ease of exploitation and severe impact, this vulnerability poses a significant and immediate risk to affected organizations.

The vulnerability is an unauthenticated remote code execution flaw resulting from insecure deserialization in the AjaxProxy component. An attacker can send a specially crafted request containing a malicious serialized object to the AjaxProxy endpoint. The application deserializes this object without proper validation, leading to the execution of embedded code with the permissions of the Web Help Desk service, which could grant the attacker full control over the underlying server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected server, allowing an attacker to steal sensitive data, deploy ransomware, disrupt help desk operations, or use the compromised system as a pivot point to attack other internal network resources. The potential business impact includes significant data breaches, financial loss from operational downtime, reputational damage, and regulatory penalties.

Immediate Action: Update all instances of SolarWinds Web Help Desk to the latest version provided by the vendor to patch this vulnerability. Prioritize patching for systems that are exposed to the internet. After patching, monitor for any signs of exploitation attempts by reviewing access logs for suspicious activity.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes reviewing web server and application logs for unusual or malformed requests to the AjaxProxy endpoint, monitoring for unexpected processes spawned by the Web Help Desk service, and scrutinizing outbound network traffic from the server for connections to unknown or malicious destinations.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the risk. Restrict network access to the Web Help Desk application to only trusted IP addresses using a firewall. Deploy a Web Application Firewall (WAF) with rules designed to detect and block deserialization attack patterns.

Public Exploit Available: false

Given the critical severity of this vulnerability, immediate action is required. We strongly recommend that all organizations using the affected SolarWinds Web Help Desk product apply the vendor-supplied patches immediately, starting with internet-facing systems. Although this CVE is not currently on the CISA KEV list, its characteristics make it a prime target for widespread exploitation. Organizations should not wait for confirmed exploitation in the wild before taking decisive remediation action.