SolarWinds on Tuesday introduced a hotfix for a distant code execution (RCE) vulnerability in Net Assist Desk, and that is the third time it makes an attempt to deal with the problem.
The newly disclosed bug, tracked as CVE-2025-26399 (CVSS rating of 9.8), is described as an unauthenticated AjaxProxy deserialization RCE flaw that might permit attackers to execute instructions on the host machine.
“This vulnerability is a patch bypass of CVE-2024-28988, which in flip is a patch bypass of CVE-2024-28986,” SolarWinds notes in an advisory launched final week.
The unique security defect, tracked as CVE-2024-28986 (CVSS rating of 9.8), a Java deserialization RCE bug that was reported as being exploitable with out authentication, was flagged as exploited solely days after SolarWinds launched a hotfix in August 2024.
Inside every week, the corporate launched a second hotfix that addressed one other essential vulnerability within the product, CVE-2024-28987 (CVSS rating of 9.1), which eliminated hardcoded credentials uncovered through the deployment of the primary hotfix.
In mid-October 2024, on the identical day the US cybersecurity company CISA warned that the hardcoded credentials had been exploited in assaults, SolarWinds introduced a 3rd hotfix that additionally resolves CVE-2024-28988 (CVSS rating of 9.8), one other Java deserialization RCE within the AjaxProxy.
“This vulnerability was discovered by the ZDI group after researching a earlier vulnerability and offering this report. The ZDI group was capable of uncover an unauthenticated assault throughout their analysis, SolarWinds mentioned on the time.
Now, the corporate explains that the newly disclosed CVE-2025-26399 is its third try at patching the deserialization RCE, and that an nameless security researcher working with Development Micro ZDI found it.
Whereas there have been no reviews of CVE-2024-28988 being exploited within the wild, customers are suggested to use the hotfix for its bypass as quickly as attainable, given the essential severity of the problem and the earlier exploitation of the preliminary vulnerability.
“The unique bug was actively exploited within the wild, and whereas we’re not but conscious of energetic exploitation of this newest patch bypass, historical past suggests it’s solely a matter of time,” watchTowr head of risk intelligence Ryan Dewhurst mentioned.
SolarisWinds launched Net Assist Desk 12.8.7 Hotfix 1 to deal with CVE-2025-26399. The discharge notes comprise detailed directions on how you can apply the hotfix.
