What happened

CISA added CVE-2025-26399 to the Known Exploited Vulnerabilities (KEV) catalog on 2026-03-09, signaling observed exploitation in the wild CISA KEV. The issue affects SolarWinds Web Help Desk (WHD) and is a deserialization of untrusted data vulnerability in the AjaxProxy component that enables command execution on the host NVD CVE-2025-26399. CISA set a remediation due date of 2026-03-12 for impacted federal entities, reflecting elevated risk and priority CISA KEV.

Why it matters

Deserialization flaws allow attackers to feed crafted objects to server code and trigger gadget chains that run arbitrary code under the application’s context NVD CVE-2025-26399. The CVE is explicitly categorized under CWE-502 (Deserialization of Untrusted Data), which is frequently associated with remote code execution in Java and similar ecosystems MITRE CVE-2025-26399. KEV inclusion means exploitation has been witnessed by defenders or partners, so internet-facing WHD instances are high-risk targets for automated probing and mass exploitation runs CISA KEV.

Technical detail

The vulnerable surface is WHD’s AjaxProxy path, which processes attacker-supplied content that can be deserialized by the server NVD CVE-2025-26399. Improperly validating or constraining serialized input enables invoking gadget chains leading to arbitrary command execution on the underlying host, consistent with CWE-502 impacts MITRE CVE-2025-26399. CISA’s listing confirms active exploitation, which typically pairs serialized payload delivery with post-exploitation process spawn and persistence implantation on WHD servers CISA KEV.

WHD is commonly deployed as a ticketing/help desk service on-prem, and exposed management endpoints often attract scanning and exploit kits once added to KEV due to guaranteed target density CISA KEV. The CVE record identifies the product and vulnerability class but does not publish a CVSS score at this time, so defenders should prioritize based on KEV status over numeric scoring NVD CVE-2025-26399. MITRE’s entry provides canonical identification and cross-links for tracking vendor updates and references through NVD MITRE CVE-2025-26399.

Defense

• Patch/mitigate per vendor guidance immediately; KEV due date is 2026-03-12 for federal agencies, a practical SLA for all enterprises CISA KEV.
• If patching is delayed, restrict exposure: place WHD behind VPN or SSO gateways, block direct internet access to AjaxProxy endpoints, and enforce IP allowlists where feasible CISA KEV.
• Monitor for deserialization indicators at the edge: HTTP bodies containing Java serialization magic bytes (0xACED0005) or unusual content-types directed at WHD paths are red flags NVD CVE-2025-26399.
• Hunt for post-exploitation: unexpected child processes spawned by the WHD service account, web server spawning shells, or new scheduled tasks on WHD hosts are consistent with RCE follow-on MITRE CVE-2025-26399.
• Review NVD references to track vendor advisories and apply configuration hardening or hotfixes as they ship across supported versions NVD CVE-2025-26399.

Lyrie Verdict

CVE-2025-26399 is a classic deserialization-to-RCE chain on a high-value ITSM surface, now confirmed exploited and likely to be automated at scale CISA KEV. Lyrie flags this class of attack at machine speed by correlating three signals: serialized payload anomalies at WHD AjaxProxy endpoints, policy-violating process creation from the WHD service, and immediate outbound C2 or credential access behaviors on the same host NVD CVE-2025-26399. The platform auto-maps these to CWE-502 exploitation patterns and isolates the asset before human-on-keyboard time, cutting off rogue-AI-driven spray-and-pray exploit traffic and follow-on hands-free lateral movement MITRE CVE-2025-26399.