SolarWinds has released a new hotfix aimed at resolving a critical remote code execution (RCE) vulnerability affecting its Web Help Desk (WHD) software. The flaw, now identified as CVE-2025-26399, marks the third patch attempt to fully remediate a vulnerability that originally appeared under CVE-2024-28986.
The latest issue impacts Web Help Desk version 12.8.7, SolarWinds’ most current release. The software is widely deployed across mid-sized to large organizations for managing IT support requests, automating workflows, tracking assets, and ensuring compliance. The vulnerability stems from unsafe deserialization in the AjaxProxy component, allowing unauthenticated attackers to execute arbitrary code on the host system.
According to the SolarWinds security bulletin published on September 23, 2025, CVE-2025-26399 is a patch bypass of CVE-2024-28988, which itself was a patch bypass of the initial flaw CVE-2024-28986.
The vulnerability was rated 9.8 (Critical) on the CVSS scale, signaling the severe risk it poses to affected systems. Exploitation does not require user interaction or authentication, which lowers the barrier for attackers.
SolarWinds WHD Hotfix 1 Details and Installation
The recently released Web Help Desk 12.8.7 Hotfix 1 modifies several core components of the application to address the deserialization issue. Affected files include:
- whd-core.jar
- whd-web.jar
- whd-persistence.jar
- HikariCP.jar (added)
To apply the patch, administrators are instructed to stop the WHD service, back up and replace specific .jar files located in the application’s /lib directory, and then restart the system. The hotfix is only compatible with WHD version 12.8.7.
The update process varies depending on the operating system, with the default installation directories being:
- macOS: /Library/WebHelpDesk
- Windows: \Program Files\WebHelpDesk
- Linux: /usr/local/webhelpdesk
Installation instructions and the hotfix package are available through the SolarWinds Customer Portal. Administrators are also advised to consult the WHD 12.8.7 Hotfix 1 Administrator Guide for detailed deployment procedures.
Ongoing Security Concerns for CVE-2025-26399
This persistent SolarWinds vulnerability underscores cybersecurity concerns within the security community about the need for proper and authenticated patch validation while also maintaining quality assurance processes.
While SolarWinds has taken steps to address the issue in successive updates, the repeated bypasses suggest the initial root cause may not have been fully understood or mitigated.
SolarWinds stresses the importance of installing the latest patch, stating, “Customers who downloaded and installed Web Help Desk 12.8.7 should also download and install 12.8.7 Hotfix 1.”
WHD installations must also ensure they are aligned with the software’s end-of-life (EOL) policies and upgrade paths. The vendor has discontinued support for FIPS configuration files in recent builds, requiring additional steps for federal compliance deployments.
Security teams using SolarWinds Web Help Desk are urged to assess their exposure and prioritize the deployment of Hotfix 1 to avoid potential exploitation of this critical flaw.
