SolarWinds is urging users of its Web Help Desk helpdesk ticketing and asset management software to ensure their instances are up-to-date after patching a newly-uncovered remote code execution (RCE) flaw.
Tracked as CVE-2025-26399, the bug bypasses a fix for a previous flaw, CVE-2024-28988, which was discovered and disclosed by Guy Lederfein of Trend Micro Security Research 12 months ago, in September 2024. However, in a twist reminiscent of the nursery rhyme about old ladies swallowing spiders to catch flies, CVE-2024-28988 itself bypassed a fix for a third issue, CVE-2024-28986.
Like the preceeding vulnerabilities, the latest issue once again takes the form of an unauthenticated AjaxProxy deserialisation RCE vulnerability that enables a threat actor to run commands on the host machine, should they succeed in exploiting it.
A warning from history
Computer Weekly understands that there is currently no evidence of any threat actors having exploited CVE-2025-26399 in the wild.
However, SolarWinds’ Web Help Desk tool is in extensive use at major enterprises and government and public sector bodies alike, and the earlier ‘versions’ of the new flaw were considered serious enough to be added to the Known Exploited Vulnerabilities catalogue run by the US’ Cybersecurity and Infrastructure Security Agency (CISA).
The addition of a bug to the KEV catalogue obliges all agencies of the federal civilian executive branch (FCEB) in the US to take action to address them in a specific timeframe, but the list also serves as a useful indicator of which flaws organisations should be prioritising to patch.
In light of this, it is highly-probable that CVE-2025-26399 will be targeted by threat actors in the very near future, if such activity has not already started.
Furthermore, the events of the 2020-2021 Solorigate/Sunburst incident impacting SolarWinds users also serves as a warning from history, according to Ryan Dewhurst, head of proactive threat intelligence at watchTowr, an exposure management specialist, who noted that SolarWinds is a name that “needs no introduction” in cyber security circles.
“The infamous supply chain attack… allowed months long access into multiple Western government agencies and left a lasting mark on the industry. Fast forward to 2024: an unauthenticated remote deserialisation vulnerability was patched… then patched again. And now, here we are with yet another addressing the very same flaw. Third time’s the charm?” said Dewhurst.
“The original bug was actively exploited in the wild, and while we’re not yet aware of active exploitation of this latest patch bypass, history suggests it’s only a matter of time.”
The Sunburst incident saw almost 20,000 SolarWinds customers download and install a malicious update to the firm’s Orion platform, with prominent victims including US government bodies such as the Department of Energy (DoE) and the National Nuclear Safety Administration (NNSA) that maintains America’s nuclear arsenal.
Earlier this year SolarWinds and the Securities and Exchange Commission (SEC) reached a settlement in principle resolving a case against the organisation and its security leadership over the circumstances that led to the compromise of Orion.
