Fast Facts

• SolarWinds has released a third patch for a severe Web Help Desk (WHD) flaw enabling remote code execution (RCE).
• The latest vulnerability, tracked as CVE-2025-26399, affects WHD version 12.8.7 and earlier.
• This flaw is a “patch bypass,” meaning attackers found a way around previous security fixes.
• The U.S. government flagged the original bug as actively exploited last year.
• No confirmed public attacks on the newest flaw yet, but the risk remains high.

A Patchwork of Peril: The SolarWinds Saga Continues

Picture a fortress with a broken gate - each time it’s mended, a new crack appears. That’s the reality facing SolarWinds, whose Web Help Desk software sits at the heart of IT support for thousands of organizations worldwide. This month, SolarWinds scrambled to release a third emergency patch for a critical vulnerability that keeps mutating, despite repeated efforts to lock it down.

The latest bug, CVE-2025-26399, is a direct descendant of two earlier flaws uncovered in the past year. Each time SolarWinds patched the hole, security researchers - and, reportedly, cybercriminals - found a fresh way to slip through. The original flaw, flagged by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in August 2023, had already been exploited in the wild, landing Web Help Desk on the government’s “Known Exploited Vulnerabilities” list.

What’s at Stake? The Risks Behind the Code

At the heart of the crisis is a technical quirk called “unsafe deserialization.” In plain English, it’s like a mailroom that opens any package without checking what’s inside - sometimes, those packages contain malicious instructions. In this case, the AjaxProxy component of Web Help Desk could let an unauthenticated attacker - someone with no valid login - run their own commands on the server. For organizations relying on WHD to keep their digital house in order, that’s a nightmare scenario.

SolarWinds’ rapid-fire patch cycle is reminiscent of past cyber whack-a-mole games. Similar “patch bypass” fiascos have haunted other tech giants: Cisco, Atlassian, and Microsoft have all grappled with vulnerabilities that refused to stay fixed, as attackers and defenders leapfrog each other. Each new patch is a race against time, with IT teams scrambling to update systems before criminals can exploit the latest loophole.

Market Fallout and the Race to Regain Trust

The stakes go far beyond technical headaches. SolarWinds is still recovering from the reputational bruises of its infamous 2020 supply chain hack, which shook the global cybersecurity community. Every new vulnerability - especially one that keeps resurfacing - tests customer confidence and regulatory patience. With no evidence (yet) of attackers exploiting the latest bug, the company hopes to stay one step ahead, but the clock is always ticking.

For now, SolarWinds customers must act fast: the hotfix is only available through the company’s portal, and applying it requires careful manual steps. In the world of cyber defense, vigilance is the only constant - and as this saga shows, sometimes even the best-guarded gates need mending again, and again, and again.

WIKICROOK

• Remote Code Execution (RCE): Remote Code Execution (RCE) is when an attacker runs their own code on a victim’s system, often leading to full control or compromise of that system.
• Deserialization: Deserialization converts data into usable program objects. If not done securely, it can let attackers inject harmful instructions into applications.
• Patch Bypass: When attackers find a way around a security fix, making a supposedly solved vulnerability dangerous again.
• Zero Day: A Zero Day is a hidden software flaw with no fix available, making it a prime target for attackers until the developer becomes aware and issues a patch.
• Exploit: An exploit is a technique or software that takes advantage of a vulnerability in a system to gain unauthorized access, control, or information.