A critical remote code execution (RCE) vulnerability, CVE-2025-26399, has been identified in SolarWinds Web Help Desk (WHD) and remains exploitable despite previous fixes. The flaw allows unauthenticated attackers to execute arbitrary code on vulnerable servers, leading to a full system compromise. Review the details in this Cybersecurity Threat Advisory to assess your exposure and ensure your systems are protected.
What is the threat?
CVE-2025-26399 affects WHD, a platform used for IT service management. The vulnerability resides in the AjaxProxy component and is caused by improper input validation in the WHD web application. This flaw allows attackers to send specially crafted requests that execute arbitrary code on the server. Exploitation does not require authentication, meaning any WHD instance exposed to the internet is at risk. The vulnerability impacts all versions up to and including WHD 12.8.7.
Why is it noteworthy?
This vulnerability is significant because WHD is used by many businesses to manage IT support, which means a security flaw in this software can have a wide impact. This can expose credentials, IT infrastructure, and customer data, potentially leading to major breaches. CVE-2025-26399 can be exploited without a username or password, and in some setups, it could spread quickly from one system to another without user action.
Security researchers have confirmed that proof-of-concept exploit code is already available online, making it easier for attackers to take advantage of the flaw. CVE-2025-26399 is also linked to two other vulnerabilities, CVE-2024-28988 and CVE-2024-28986, which were patched earlier this month. The need for a third patch from SolarWinds highlights how challenging it has been to fully remediate this vulnerability, and why it is critical to apply the latest update.
What is the exposure or risk?
If this vulnerability is exploited, attackers could gain complete control over the affected WHD server. This means they could view, steal, or delete sensitive information, disrupt IT support operations, and install malicious software. Because WHD often connects to other important systems inside an organization, a single compromised server could give attackers a pathway to move deeper into the network.
The danger of this vulnerability is not limited to systems that are directly exposed to the internet. Even servers kept inside a company’s network could be at risk if attackers first break in through another system and use this vulnerability to spread. In short, a successful attack could cause serious operational downtime, financial losses, and long-term damage to an organization’s reputation. This is why applying the latest patch and limiting access to WHD is essential to protecting your business.
What are the recommendations?
Barracuda recommends the following actions to address this vulnerability:
- Install the latest hotfix which is available on SolarWinds Customer Portal.
- Verify that the patch is correctly installed to ensure systems are not left exposed.
- Restrict WHD access to untrusted networks.
- Auditing server logs for signs of compromise.
- Implement network segmentation to prevent lateral movement of a compromise.
- Monitor for suspicious activity and potential exploit attempts.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2025/09/solarwinds-releases-hotfix-for-critical.html
- https://www.bleepingcomputer.com/news/security/solarwinds-releases-third-patch-to-fix-web-help-desk-rce-bug/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
