A critical unauthenticated remote code execution vulnerability in SolarWinds Web Help Desk AjaxProxy is now listed on CISA’s Known Exploited Vulnerabilities catalog.

What Is It

This vulnerability stems from deserialization of untrusted data within the AjaxProxy component of SolarWinds Web Help Desk. Successful exploitation allows an attacker to execute arbitrary commands directly on the host machine. The flaw is classified under CWE-502 and requires no authentication or user interaction to trigger, enabling full system compromise via network-based attacks.

Why It Matters

With a CVSS score of 9.8, this vulnerability presents a severe risk to confidentiality, integrity, and availability. Crucially, NVD data indicates this is a patch bypass chain affecting CVE-2024-28988 and CVE-2024-28986, meaning previous remediation attempts may not protect against this specific vector. CISA has added it to the Known Exploited Vulnerabilities (KEV) catalog, signaling active exploitation in the wild and mandating urgent mitigation. The attack vector is network-based with low complexity, allowing automated exploitation campaigns.

What's Vulnerable

The vulnerability impacts SolarWinds Web Help Desk versions up to 12.8.6 and version 12.8.7 prior to Hotfix 1. Attackers can exploit this over the network without valid credentials, making it a high-priority target for automated scanning and exploitation campaigns targeting unpatched help desk infrastructure. Scope remains unchanged during exploitation.

Patch Status

SolarWinds has released Hotfix 1 for version 12.8.7 to address this issue. Organizations are advised to apply vendor mitigations immediately per the security advisory or discontinue use of the product if updates cannot be applied. CISA requires action by March 12, 2026, following BOD 22-01 guidance for cloud services. Failure to patch leaves systems exposed to remote takeover.

Sources

CISA Known Exploited Vulnerabilities Catalog, National Vulnerability Database (NVD), SolarWinds Trust Center Security Advisories.