Sep 23, 2025Ravie LakshmananVulnerability / Information Safety
SolarWinds has launched sizzling fixes to handle a vital safety flaw impacting its Net Assist Desk software program that, if efficiently exploited, might permit attackers to execute arbitrary instructions on prone techniques.
The vulnerability, tracked as CVE-2025-26399 (CVSS rating: 9.8), has been described as an example of deserialization of untrusted information that might end in code execution. It impacts SolarWinds Net Assist Desk 12.8.7 and all earlier variations.
“SolarWinds Net Assist Desk was discovered to be prone to an unauthenticated AjaxProxy deserialization distant code execution vulnerability that, if exploited, would permit an attacker to run instructions on the host machine,” SolarWinds stated in an advisory launched on September 17, 2025.
An nameless researcher working with the Development Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw.
SolarWinds stated CVE-2025-26399 is a patch bypass for CVE-2024-28988 (CVSS rating: 9.8), which, in flip, is a bypass for CVE-2024-28986 (CVSS rating: 9.8) that was initially addressed by the corporate again in August 2024.
“This vulnerability permits distant attackers to execute arbitrary code on affected installations of SolarWinds Net Assist Desk. Authentication is just not required to take advantage of this vulnerability,” in accordance with a ZDI advisory for CVE-2024-28988.
“The particular flaw exists inside the AjaxProxy. The problem outcomes from the shortage of correct validation of user-supplied information, which can lead to deserialization of untrusted information. An attacker can leverage this vulnerability to execute code within the context of SYSTEM.”
Whereas there isn’t any proof of the vulnerability being exploited within the wild, customers are suggested to replace their situations to SolarWinds Net Assist Desk 12.8.7 HF1 for optimum safety.
That stated, it is price emphasizing that the unique bug CVE-2024-28986 was added to the Recognized Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) shortly after public disclosure. There’s at the moment no data publicly accessible on the character of the assaults weaponizing the bug.
“SolarWinds is a reputation that wants no introduction in IT and cybersecurity circles. The notorious 2020 provide chain assault, attributed to Russia’s Overseas Intelligence Service (SVR), allowed months-long entry into a number of Western authorities companies and left a long-lasting mark on the business,” Ryan Dewhurst, head of proactive risk intelligence at watchTowr, stated in an announcement.
“Quick ahead to 2024: an unauthenticated distant deserialization vulnerability (CVE-2024-28986) was patched… then patched once more (CVE-2024-28988). And now, right here we’re with yet one more patch (CVE-2025-26399) addressing the exact same flaw.
“Third time’s the appeal? The unique bug was actively exploited within the wild, and whereas we’re not but conscious of energetic exploitation of this newest patch bypass, historical past suggests it is solely a matter of time.”
