SolarWinds on Tuesday introduced a hotfix for a distant code execution (RCE) vulnerability in Net Assist Desk, and that is the third time it makes an attempt to deal with the problem.
The newly disclosed bug, tracked as CVE-2025-26399 (CVSS rating of 9.8), is described as an unauthenticated AjaxProxy deserialization RCE flaw that would permit attackers to execute instructions on the host machine.
“This vulnerability is a patch bypass of CVE-2024-28988, which in flip is a patch bypass of CVE-2024-28986,” SolarWinds notes in an advisory launched final week.
The unique safety defect, tracked as CVE-2024-28986 (CVSS rating of 9.8), a Java deserialization RCE bug that was reported as being exploitable with out authentication, was flagged as exploited solely days after SolarWinds launched a hotfix in August 2024.
Inside every week, the corporate launched a second hotfix that addressed one other crucial vulnerability within the product, CVE-2024-28987 (CVSS rating of 9.1), which eliminated hardcoded credentials uncovered in the course of the deployment of the primary hotfix.
In mid-October 2024, on the identical day the US cybersecurity company CISA warned that the hardcoded credentials had been exploited in assaults, SolarWinds introduced a 3rd hotfix that additionally resolves CVE-2024-28988 (CVSS rating of 9.8), one other Java deserialization RCE within the AjaxProxy.
“This vulnerability was discovered by the ZDI staff after researching a earlier vulnerability and offering this report. The ZDI staff was capable of uncover an unauthenticated assault throughout their analysis, SolarWinds stated on the time.
Now, the corporate explains that the newly disclosed CVE-2025-26399 is its third try at patching the deserialization RCE, and that an nameless safety researcher working with Pattern Micro ZDI found it.Commercial. Scroll to proceed studying.
Whereas there have been no experiences of CVE-2024-28988 being exploited within the wild, customers are suggested to use the hotfix for its bypass as quickly as potential, given the crucial severity of the problem and the earlier exploitation of the preliminary vulnerability.
“The unique bug was actively exploited within the wild, and whereas we’re not but conscious of lively exploitation of this newest patch bypass, historical past suggests it’s solely a matter of time,” watchTowr head of risk intelligence Ryan Dewhurst stated.
SolarisWinds launched Net Assist Desk 12.8.7 Hotfix 1 to deal with CVE-2025-26399. The discharge notes comprise detailed directions on find out how to apply the hotfix.
Associated: Fortra Patches Vital GoAnywhere MFT Vulnerability
Associated: Chrome 140 Replace Patches Sixth Zero-Day of 2025
Associated: Apple Rolls Out iOS 26, macOS Tahoe 26 With Patches for Over 50 Vulnerabilities
Associated: Cost System Vendor Took Yr+ to Patch Infinite Card High-Up Hack: Safety Agency
