On 23 September 2025, SolarWinds released a hotfix for a critical vulnerability impacting Web Help Desk (WHD), tracked as CVE-2025-26399. The vulnerability arises from a deserialisation flaw in the AjaxProxy component that could allow a remote unauthenticated threat actor to achieve remote code execution. CVE-2025-26399 is the second bypass of a flaw originally disclosed last year as CVE-2024-28986 within WHD, with the first bypass being CVE-2024-28988.
At the time of writing, Arctic Wolf has not observed exploitation of CVE-2025-26399 in the wild, nor has a public proof-of-concept exploit been identified. However, threat actors may attempt to reverse-engineer the hotfix, as the original flaw (CVE-2024-28986) was exploited shortly after its disclosure last year. A compromised WHD instance could expose sensitive information, given its role as an IT service management platform, making it a valuable target for threat actors.
Recommendation for CVE-2025-26399
Apply Hotfix
Arctic Wolf strongly recommends that customers apply the hotfix.
| Product | Affected Version | Fixed Version |
| SolarWinds Web Help Desk | 12.8.7 | 12.8.7 Hotfix 1 |
Please follow your organisation’s patching and testing guidelines to minimise potential operational impact.
References
Resources
Understand the threat landscape with our annual review highlighting cyber threats with the 2025 Security Operations Report.
See how Arctic Wolf utilises threat intelligence to harden your attack surface and stop threats earlier and faster.
