CISA Adds SolarWinds Vulnerability to KEV

CVE-2025-26399 is an unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk (WHD) affecting version 12.8.7 and earlier. It stems from unsafe deserialization in the AjaxProxy component, allowing attackers to run commands on the host machine. This specific vulnerability is a bypass of CVE-2024-28988, which itself was a bypass of CVE-2024-28986, indicating a persistent issue with patch implementations. Exploitation requires only network access to the WHD, making public-facing instances particularly high-risk. CISA's Known Exploited Vulnerabilities (KEV) catalog is a list of vulnerabilities that have been actively exploited in the wild. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV catalog vulnerabilities by a specific due date. CISA strongly urges all organizations to prioritize remediation of KEV vulnerabilities to reduce their exposure to cyberattacks. Successful exploitation of CVE-2025-26399 allows an attacker to execute commands under the WHD service context, potentially SYSTEM on Windows or root on Linux. Detection efforts should focus on unusual POST requests to AjaxProxy with large payloads and serialized-object markers.