Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk
Summary
Hide β²
Show βΌ
SolarWinds has released a third hotfix for a critical deserialization vulnerability (CVE-2025-26399) in its Web Help Desk software. The flaw allows unauthenticated remote code execution on affected systems. The vulnerability impacts versions 12.8.7 and earlier. Users are advised to update to version 12.8.7 HF1. The flaw was discovered by an anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI). The vulnerability is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original bug (CVE-2024-28986) was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA.
Timeline
-
23.09.2025 15:46 π° 2 articles Β· β± 8h ago
SolarWinds releases hotfix for critical deserialization flaw in Web Help Desk
The vulnerability affects the AjaxProxy component due to unsafe deserialization handling. The hotfix requires users to replace specific JAR files in the Web Help Desk installation directory. The flaw was discovered by an anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI).
Show sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
Information Snippets
-
The vulnerability, CVE-2025-26399, is a critical deserialization flaw with a CVSS score of 9.8.
First reported: 23.09.2025 15:46π° 2 sources, 2 articlesShow sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
The flaw affects SolarWinds Web Help Desk 12.8.7 and all previous versions.
First reported: 23.09.2025 15:46π° 2 sources, 2 articlesShow sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
The vulnerability allows unauthenticated remote code execution on affected systems.
First reported: 23.09.2025 15:46π° 2 sources, 2 articlesShow sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
SolarWinds has released a hotfix (version 12.8.7 HF1) to address the vulnerability.
First reported: 23.09.2025 15:46π° 2 sources, 2 articlesShow sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
The flaw was discovered by an anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI).
First reported: 23.09.2025 15:46π° 2 sources, 2 articlesShow sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
CVE-2025-26399 is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986.
First reported: 23.09.2025 15:46π° 2 sources, 2 articlesShow sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
CVE-2024-28986 was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA.
First reported: 23.09.2025 15:46π° 2 sources, 2 articlesShow sources
- SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw β thehackernews.com β 23.09.2025 15:46
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
The vulnerability affects the AjaxProxy component due to unsafe deserialization handling.
First reported: 23.09.2025 16:41π° 1 source, 1 articleShow sources
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
-
The hotfix requires users to replace specific JAR files in the Web Help Desk installation directory.
First reported: 23.09.2025 16:41π° 1 source, 1 articleShow sources
- SolarWinds releases third patch to fix Web Help Desk RCE bug β www.bleepingcomputer.com β 23.09.2025 16:41
Similar Happenings
GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens
GitHub has announced upcoming changes to its authentication and publishing options in response to recent supply chain attacks targeting the npm ecosystem. These changes aim to mitigate threats posed by token abuse and self-replicating malware. The updates include mandatory two-factor authentication (2FA), short-lived tokens, and trusted publishing via OpenID Connect (OIDC). The Shai-Hulud attack, which injected a self-replicating worm into hundreds of npm packages, highlighted the need for these security enhancements. Additionally, a malicious npm package named fezbox was discovered, which used a QR code-based technique to steal browser credentials. The fezbox package was downloaded at least 327 times before being removed from the npm registry, and it employed advanced obfuscation techniques to evade detection. Recent attacks, including the s1ngularity and GhostAction campaigns, have further underscored the need for these security measures. Ruby Central has also announced tighter governance of the RubyGems package manager to improve supply-chain protections.
EDR-Freeze tool suspends security software using Windows WER
A new proof-of-concept tool called EDR-Freeze exploits Windows Error Reporting (WER) to suspend security software, including EDR and antivirus tools. The technique, discovered by researcher Zero Salarium, operates from user mode without requiring a vulnerable driver. It leverages legitimate Windows components to indefinitely suspend security processes. The method involves using the WerFaultSecure component and the MiniDumpWriteDump API to suspend all threads in the target process, effectively putting security software into a dormant state. This approach is stealthier and more efficient than traditional BYOVD attacks, which rely on exploiting vulnerable kernel drivers. The tool has been successfully tested on Windows 11 24H2, demonstrating its potential impact on modern systems.
Critical deserialization vulnerability in Fortra GoAnywhere MFT
Fortra disclosed a critical deserialization vulnerability in GoAnywhere Managed File Transfer (MFT) software (CVE-2025-10035). This flaw, with a CVSS score of 10.0, allows arbitrary command execution through a forged license response signature. The vulnerability affects systems accessible over the internet and was patched in versions 7.8.4 and 7.6.3. Fortra has not confirmed exploitation in the wild, but similar vulnerabilities in the same product were previously exploited by ransomware actors. Users are advised to update to the patched versions immediately or restrict public access to the GoAnywhere Admin Console. Fortra discovered the vulnerability during a security check on September 11, 2025. The vulnerability was identified in the License Servlet of GoAnywhere MFT. Over 470 GoAnywhere MFT instances are being monitored by the Shadowserver Foundation.
Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428
Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).
SilentSync RAT delivered via malicious PyPI packages targeting Python developers
Two malicious packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages deliver the SilentSync remote access trojan (RAT) to Windows systems. The trojan is capable of remote command execution, file exfiltration, screen capturing, and extracting web browser data. The packages were uploaded by a user named CondeTGAPIS and have been removed from PyPI. The sisaws package mimics the legitimate sisa package, while secmeasure masquerades as a security library. The trojan is designed to infect Windows systems but also supports Linux and macOS. It communicates with a command and control (C2) server to receive commands and exfiltrate data. The discovery highlights the risk of supply chain attacks within public software repositories.