SolarWinds has launched scorching fixes to handle a vital security flaw impacting its Internet Assist Desk software program that, if efficiently exploited, might permit attackers to execute arbitrary instructions on prone methods.
The vulnerability, tracked as CVE-2025-26399 (CVSS rating: 9.8), has been described as an example of deserialization of untrusted knowledge that would lead to code execution. It impacts SolarWinds Internet Assist Desk 12.8.7 and all earlier variations.
“SolarWinds Internet Assist Desk was discovered to be prone to an unauthenticated AjaxProxy deserialization distant code execution vulnerability that, if exploited, would permit an attacker to run instructions on the host machine,” SolarWinds stated in an advisory launched on September 17, 2025.
An nameless researcher working with the Development Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw.
SolarWinds stated CVE-2025-26399 is a patch bypass for CVE-2024-28988 (CVSS rating: 9.8), which, in flip, is a bypass for CVE-2024-28986 (CVSS rating: 9.8) that was initially addressed by the corporate again in August 2024.
“This vulnerability permits distant attackers to execute arbitrary code on affected installations of SolarWinds Internet Assist Desk. Authentication just isn’t required to take advantage of this vulnerability,” in response to a ZDI advisory for CVE-2024-28988.
“The precise flaw exists throughout the AjaxProxy. The problem outcomes from the shortage of correct validation of user-supplied knowledge, which may end up in deserialization of untrusted knowledge. An attacker can leverage this vulnerability to execute code within the context of SYSTEM.”
Whereas there isn’t any proof of the vulnerability being exploited within the wild, customers are suggested to replace their situations to SolarWinds Internet Assist Desk 12.8.7 HF1 for optimum safety.
That stated, it is price emphasizing that the unique bug CVE-2024-28986 was added to the Identified Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) shortly after public disclosure. There’s presently no info publicly obtainable on the character of the assaults weaponizing the bug.
“SolarWinds is a reputation that wants no introduction in IT and cybersecurity circles. The notorious 2020 provide chain assault, attributed to Russia’s Overseas Intelligence Service (SVR), allowed months-long entry into a number of Western authorities businesses and left an enduring mark on the business,” Ryan Dewhurst, head of proactive menace intelligence at watchTowr, stated in a press release.
“Quick ahead to 2024: an unauthenticated distant deserialization vulnerability (CVE-2024-28986) was patched… then patched once more (CVE-2024-28988). And now, right here we’re with one more patch (CVE-2025-26399) addressing the exact same flaw.
“Third time’s the allure? The unique bug was actively exploited within the wild, and whereas we’re not but conscious of lively exploitation of this newest patch bypass, historical past suggests it is solely a matter of time.”
