SolarWinds has released a hot fix to address critical security flaws that affect web help desk software.
The vulnerability tracked as CVE-2025-26399 (CVSS score: 9.8) is described as an instance of untrusted data deintervention that could lead to code execution. It affects SolarWinds Web Help Desk 12.8.7 and all previous versions.
“SolarWinds Web Help Desk has found it susceptible to vulnerabilities in Ajaxproxy Deserialization Remot Code, which is not permitted to allow attackers to execute commands on the host machine by allowing attackers to execute commands on the host machine.
Anonymous researchers working together using the Trend Micro Zero Day Initiative (ZDI) are acknowledged to have discovered and reported defects.
SolarWinds said CVE-2025-26399 is a patch bypass for CVE-2024-28988 (CVSS score: 9.8).
“This vulnerability means that remote attackers do not need authentication to exploit this vulnerability, according to the ZDI advisory in CVE-2024-28988.
“Certain flaws exist in ajaxproxy. The problem arises from the lack of proper validation of user-supported data, which could lead to untrusted data. An attacker could exploit this vulnerability to run code in the context of the system.”
Although there is no evidence of vulnerabilities being exploited in the wild, users are advised to update their instances to the SolarWinds Web Help Desk 12.8.7 HF1 for optimal protection.
That being said, it is worth highlighting that the original bug CVE-2024-28986 was added to the known exploited vulnerability (KEV) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA) shortly after public insights. Currently there is no public information about the nature of the attack that weaponizes bugs.
“SolarWinds is a name that does not require referrals to IT and cybersecurity circles. The infamous 2020 supply chain attacks stemming from the Russian Foreign Intelligence Reporting Agency (SVR) granted several Western government agencies months of access, leaving the industry a lasting mark.”
“Fast-forward to 2024: The ruthless remote escape vulnerability (CVE-2024-28986) patched… and then patched again (CVE-2024-28988).
“Third Time Attraction? The original bug was actively exploited in the wild, but we still don’t recognize the aggressive exploitation of this latest patch bypass, but history suggests it’s only a matter of time.”
Source link
