CVE-2025-26399: SolarWinds WHD Exploitation Hits Servers
CVE-2025-26399: SolarWinds WHD Exploitation Hits Servers | 2026
Executive Summary
CVE-2025-26399 in SolarWinds Web Help Desk has moved from “critical but patchable” to an active intrusion problem. CISA added the flaw to its Known Exploited Vulnerabilities catalog in March 2026, while Microsoft and Huntress both reported real-world attacks against exposed WHD instances.
That matters because this is not just another internet-facing bug. The underlying issue is insecure deserialization in the AjaxProxy component, rated CVSS 9.8, and the observed tradecraft shows attackers using the initial foothold for remote code execution, remote management tooling, system discovery, and follow-on access that can lead to credential theft and domain-wide impact.
The practical lesson is simple: if Web Help Desk is exposed to the internet and not upgraded, defenders should treat it as a likely entry point rather than a theoretical risk.
The Flaw: Deserialization-Driven Remote Code Execution
CVE-2025-26399 is a critical-severity deserialization of untrusted data vulnerability (CVSS 9.8) in the AjaxProxy component of SolarWinds Web Help Desk. According to vendor and third-party analysis, exploitation can allow an unauthenticated attacker to execute arbitrary commands on the host running WHD.
NetSPI describes the issue as a network-reachable bug with low attack complexity, no privileges required, and no user interaction. That combination is precisely why exposed service-desk infrastructure becomes so attractive to adversaries.
How the Exploit Works
- Reach the exposed WHD service — the attacker identifies an internet-facing SolarWinds Web Help Desk instance.
- Send crafted serialized data — malicious input is delivered to the vulnerable AjaxProxy path.
- Trigger unsafe object handling — the application deserializes attacker-controlled data without sufficient safeguards.
- Execute commands in the WHD context — the host runs attacker-supplied code or shell commands.
- Pivot into post-exploitation — the adversary installs tooling, performs reconnaissance, and prepares for lateral movement.
Internet attacker
-> vulnerable AjaxProxy endpoint
-> untrusted deserialization
-> command execution on WHD host
-> RMM / PowerShell / persistence
The patch path changed over time because SolarWinds Web Help Desk suffered a chain of related issues and patch bypasses. SolarWinds’ WHD 2026.1 release, published on January 28, 2026, fixes multiple critical WHD vulnerabilities and continues the vendor’s modernization and hardening work. Huntress notes that all versions prior to 12.8.7 HF1 should be considered vulnerable to the deserialization class issues that attackers are abusing in the wild.
Timeline: From Disclosure to Active Exploitation
| Date | Event | Status |
|---|---|---|
| Sep. 2025 | SolarWinds discloses CVE-2025-26399 and releases hotfix guidance | ✅ Patch available |
| Dec. 2025 | Microsoft says observed intrusions were already occurring on vulnerable WHD systems | ⚠️ Initial compromise |
| Jan. 28, 2026 | SolarWinds releases WHD 2026.1 with multiple security fixes | ✅ Patch available |
| Feb. 6, 2026 | Microsoft publishes analysis of active exploitation against exposed WHD | 📢 Public disclosure |
| Feb. 7, 2026 | Huntress investigates hands-on-keyboard exploitation in customer environments | 🔴 Mass exploitation / Active exploitation |
| Mar. 9, 2026 | CISA adds CVE-2025-26399 to the KEV catalog | 🔴 Mass exploitation / Active exploitation |
| Mar. 2026 | Defenders continue incident response and exposure reduction for internet-facing WHD | 🔍 Continuing threat / Investigation |
Who Is Exploiting CVE-2025-26399?
Public reporting does not yet fully attribute every intrusion to a single actor, but the exploitation pattern is already clear: exposed WHD systems are being targeted by opportunistic and criminal operators who know a help desk server can unlock wider enterprise access.
Financially Motivated Activity
| Actor | Geography | Payload / Tooling | Focus |
|---|---|---|---|
| Warlock-linked activity | Global | Zoho/ManageEngine tooling, Velociraptor, Cloudflared, PowerShell | Initial access, persistence, post-exploitation |
| Unattributed opportunistic operators | Global | BITS abuse, PowerShell, scheduled tasks, reverse SSH | Fast foothold expansion |
Huntress linked one cluster of activity to Warlock ransomware tradecraft, while Microsoft described multistage intrusions involving legitimate admin tools, scheduled tasks, reverse SSH, and stealthier credential-access techniques. Even before encryption or overt extortion appears, this behavior already fits a mature ransomware pre-positioning model.
Why This Matters: The Help Desk Server as a Domain Pivot
This incident is more important than the standalone CVE score suggests because Web Help Desk often sits close to authentication systems, internal workflows, operator accounts, and other sensitive business processes.
Key Challenges
- Internet exposure multiplies impact: A public-facing help desk turns a back-office app into an initial access target.
- Post-exploitation blends into normal IT tooling: Microsoft and Huntress both observed legitimate RMM and admin utilities used after compromise, which complicates detection.
- The path from entry to identity compromise is short: Once attackers land on the WHD server, they can enumerate users, stage persistence, and work toward credential theft and AD compromise.
In other words, this is not just a patch-management issue. It is a threat intelligence and incident-response problem because the post-exploitation behavior is already documented.
Defensive Posture: Immediate Actions
🔴 Upgrade and reduce exposure first
- Upgrade SolarWinds Web Help Desk immediately to WHD 2026.1 or the latest supported secure build.
- Treat all versions before 12.8.7 HF1 as unsafe for this deserialization bug family.
- Remove direct internet exposure to administrative and AjaxProxy paths.
- Place WHD behind VPN, firewall policy, or reverse-proxy controls with explicit allowlists.
👥 Credentials and administrative hygiene
- Reset service, admin, and application credentials reachable from the WHD environment.
- Review whether the built-in admin relationship or default account assumptions still exist in the deployment.
- Audit privileged group memberships that were queried or modified after suspected compromise.
🔍 Detection and response
- Hunt for
wrapper.exe->java.exe/javaw.exe-> suspicious child processes. - Search for post-exploitation tools such as ToolsIQ.exe, Velociraptor, Cloudflared, QEMU, and unexpected MSI-based installers.
- Review scheduled tasks such as
TPMProfilerand check for reverse SSH tunnels, port forwards, or rogue RDP enablement. - Inspect outbound connections to temporary hosting, tunneling services, and attacker-controlled SaaS endpoints.
Microsoft Defender XDR example:
DeviceProcessEvents
| where InitiatingProcessParentFileName endswith "wrapper.exe"
| where InitiatingProcessFolderPath has "\\WebHelpDesk\\bin\\"
| where InitiatingProcessFileName in~ ("java.exe", "javaw.exe") or InitiatingProcessFileName contains "tomcat"
| where FileName !in ("java.exe", "pg_dump.exe", "reg.exe", "conhost.exe", "WerFault.exe")
Look for vulnerable systems:
DeviceTvmSoftwareVulnerabilities
| where CveId has_any ('CVE-2025-40551', 'CVE-2025-40536', 'CVE-2025-26399')
📧 Network and segmentation controls
- Block unnecessary egress from the WHD host to arbitrary SaaS, file-sharing, and tunnel providers.
- Segment the WHD server from domain controllers and other high-value internal assets.
- Increase logging around AjaxProxy requests, MSI installation activity, PowerShell spawning, and BITS downloads.
Frequently Asked Questions
What is CVE-2025-26399?
CVE-2025-26399 is a critical insecure deserialization vulnerability in SolarWinds Web Help Desk’s AjaxProxy component. It can allow unauthenticated remote code execution on exposed servers.
Is CVE-2025-26399 being actively exploited?
Yes. CISA added the flaw to the KEV catalog in March 2026, and both Microsoft and Huntress documented active exploitation activity against vulnerable WHD deployments.
How should defenders respond?
Upgrade immediately, remove public exposure, rotate credentials reachable from the WHD host, and investigate for signs of post-exploitation tooling or suspicious scheduled tasks.
Bottom Line
CVE-2025-26399 is no longer just a critical SolarWinds bug — it is a proven intrusion vector for exposed help desk infrastructure.
Key Takeaways
✅ KEV status changes the response priority - once CISA marks a flaw as known exploited, the conversation shifts from routine patching to urgent risk reduction.
✅ The first-stage exploit is only the start - Microsoft and Huntress both show how quickly attackers move from WHD access to persistence, reconnaissance, and identity-focused abuse.
If your organization still exposes SolarWinds Web Help Desk to the internet, assume time-to-compromise is short and act accordingly.
References
- CISA. “CISA Adds Three Known Exploited Vulnerabilities to Catalog.” March 2026.
- Microsoft Security Blog. “Analysis of active exploitation of SolarWinds Web Help Desk.” February 2026.
- Huntress. “Active Exploitation of SolarWinds Web Help Desk.” February 2026.
- SolarWinds. “WHD 2026.1 release notes.” January 2026.
- NetSPI. “CVE-2025-26399 SolarWinds Web Help Desk Overview and Takeaways.” March 2026.
- The Hacker News. “CISA Flags SolarWinds, Ivanti, and Workspace One Vulnerabilities as Actively Exploited.” March 2026.
Published: 2026-03-15 Author: Invaders Editorial Team Classification: TLP:CLEAR Reading Time: 6 minutes