CVE-2025-26399

Warnung

Medienbericht

EPSS 88.33%
Veröffentlicht 23.09.2025 05:15:35
Zuletzt bearbeitet 10.03.2026 13:11:15
Quelle psirt@solarwinds.com
CVE-Watchlists
Login
Unerledigt
Login

SolarWinds Web Help Desk Deserialization of Untrusted Data Privilege Escalation Vulnerability

SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.

Betroffene Produkte Warnungen 1 Metriken 3 CWE 1 Referenzen 12

NVD 2 VulnDex Vulnerability Enrichment 2

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Solarwinds ≫ Web Help Desk Version <= 12.8.6

Solarwinds ≫ Web Help Desk Version12.8.7 Update-

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

09.03.2026: CISA Known Exploited Vulnerabilities (KEV) Catalog

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

Schwachstelle

SolarWinds Web Help Desk contain a deserialization of untrusted data vulnerability in AjaxProxy that could allow an attacker to run commands on the host machine.

Beschreibung

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	88.33%	0.997

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
psirt@solarwinds.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-502 Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.