Vulnerability intelligence

CVE-2025-26399

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

CVSS Score

9.8

Critical

EPSS — Exploit Probability

31%

Riskier than 97% of all CVEs

Exploitation

Confirmed in the wild

Used in ransomware campaigns

Remediation

Patch available

Federal deadline 2026-03-12

CISA required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Deadline for federal agencies: 2026-03-12.

NVD entry Vendor patch PoC / advisory CISA KEV

1 article across 1 outlet · first covered Apr 20, 2026 · latest Apr 20, 2026

Coverage timeline

Hackers Abuse QEMU for Defense Evasion
www.securityweek.com · Apr 20, 2026

Related CVEs — SolarWinds

CVE-2026-28318KEV