How to Fix CVE-2025-26399: SolarWinds Web Help Desk Unauthenticated Deserialization
*By Sai Kiran Pandrala*
| Severity | CVSS 9.8, Critical |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV |
| Affected | SolarWinds Web Help Desk (WHD), see SolarWinds Trust Center advisory for affected versions |
| Fixed in | See the SolarWinds advisory for the exact patched WHD release and hotfix |
| Type (CWE) | Untrusted Deserialization |
⚠️ Patch immediately. Web Help Desk holds customer ticket data, support credentials, and (in many deployments) integrated AD service accounts. Unauthenticated RCE here is data-exposure-class.
What is CVE-2025-26399?
SolarWinds Web Help Desk (WHD) is susceptible to unauthenticated deserialization of untrusted data. A remote attacker can send a specially crafted serialized payload to the WHD service, causing the Java runtime to instantiate attacker-controlled classes and execute arbitrary code as the WHD service account.
The pattern follows a well-known Java deserialization attack class. The vendor advisory describes the specific endpoints and the exact attack precondition.
Am I affected?
You are affected if you run SolarWinds Web Help Desk at a version below the patched release listed in the SolarWinds advisory.
Check your WHD version: log into the admin UI → Help → About, or check the install path for the version file.
How to fix CVE-2025-26399
- Open the SolarWinds Trust Center advisory linked below and identify the patched WHD release and any applicable hotfix.
- Back up the WHD database and configuration before upgrading.
- Download the patched release / hotfix from your SolarWinds Customer Portal.
- Stop WHD:
sudo systemctl stop webhelpdesk
- Run the installer in upgrade mode. The installer preserves the database and configuration paths.
- Start WHD:
sudo systemctl start webhelpdesk
- Verify via the Help → About page.
If you can't patch immediately
- Take WHD off the public internet. WHD typically does not need public reachability — internal employees and customer-portal use cases can both be fronted by VPN or identity-aware proxy.
- Restrict access at the perimeter to known IP ranges.
- Increase log monitoring on the WHD application logs for unusual POST traffic.
How to verify the fix worked
After upgrade, confirm the version on the Help → About page matches the SolarWinds-published patched release. Run an authenticated vulnerability scan; the CVE-2025-26399 detection should clear.
Frequently asked questions
Is CVE-2025-26399 actively exploited?
Yes. CVE-2025-26399 is on the CISA Known Exploited Vulnerabilities catalog, so federal civilian agencies are required to patch on the published deadline. Most enterprises treat the same date as the practical floor.
What is the CVSS severity of CVE-2025-26399?
Critical. See the advisory for the full CVSS vector.
Where can I read the official advisory?
See https://www.solarwinds.com/trust-center/security-advisories
Does the patch require a reboot?
It depends on the deployment. Service-only updates usually need a service restart; OS-level fixes require a full reboot. Check the vendor release notes for the exact post-upgrade steps.
References
- Official SolarWinds Trust Center advisory: https://www.solarwinds.com/trust-center/security-advisories
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-26399
- CISA KEV catalog entry: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- Related: How to Fix CVE-2025-40551
*This guide was assembled from the SolarWinds Trust Center reference, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the SolarWinds advisory before applying changes in production.*