CyberHappenings logo
☰

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk

First reported
Last updated
πŸ“° 2 unique sources, 2 articles

Summary

Hide β–²

SolarWinds has released a third hotfix for a critical deserialization vulnerability (CVE-2025-26399) in its Web Help Desk software. The flaw allows unauthenticated remote code execution on affected systems. The vulnerability impacts versions 12.8.7 and earlier. Users are advised to update to version 12.8.7 HF1. The flaw was discovered by an anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI). The vulnerability is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original bug (CVE-2024-28986) was exploited in the wild and added to the Known Exploited Vulnerabilities (KEV) catalog by CISA.

Timeline

  1. 23.09.2025 15:46 πŸ“° 2 articles Β· ⏱ 8h ago

    SolarWinds releases hotfix for critical deserialization flaw in Web Help Desk

    The vulnerability affects the AjaxProxy component due to unsafe deserialization handling. The hotfix requires users to replace specific JAR files in the Web Help Desk installation directory. The flaw was discovered by an anonymous researcher working with the Trend Micro Zero Day Initiative (ZDI).

    Show sources

Information Snippets

Similar Happenings

GitHub Strengthens npm Supply Chain Security with 2FA and Short-Lived Tokens

GitHub has announced upcoming changes to its authentication and publishing options in response to recent supply chain attacks targeting the npm ecosystem. These changes aim to mitigate threats posed by token abuse and self-replicating malware. The updates include mandatory two-factor authentication (2FA), short-lived tokens, and trusted publishing via OpenID Connect (OIDC). The Shai-Hulud attack, which injected a self-replicating worm into hundreds of npm packages, highlighted the need for these security enhancements. Additionally, a malicious npm package named fezbox was discovered, which used a QR code-based technique to steal browser credentials. The fezbox package was downloaded at least 327 times before being removed from the npm registry, and it employed advanced obfuscation techniques to evade detection. Recent attacks, including the s1ngularity and GhostAction campaigns, have further underscored the need for these security measures. Ruby Central has also announced tighter governance of the RubyGems package manager to improve supply-chain protections.

EDR-Freeze tool suspends security software using Windows WER

A new proof-of-concept tool called EDR-Freeze exploits Windows Error Reporting (WER) to suspend security software, including EDR and antivirus tools. The technique, discovered by researcher Zero Salarium, operates from user mode without requiring a vulnerable driver. It leverages legitimate Windows components to indefinitely suspend security processes. The method involves using the WerFaultSecure component and the MiniDumpWriteDump API to suspend all threads in the target process, effectively putting security software into a dormant state. This approach is stealthier and more efficient than traditional BYOVD attacks, which rely on exploiting vulnerable kernel drivers. The tool has been successfully tested on Windows 11 24H2, demonstrating its potential impact on modern systems.

Critical deserialization vulnerability in Fortra GoAnywhere MFT

Fortra disclosed a critical deserialization vulnerability in GoAnywhere Managed File Transfer (MFT) software (CVE-2025-10035). This flaw, with a CVSS score of 10.0, allows arbitrary command execution through a forged license response signature. The vulnerability affects systems accessible over the internet and was patched in versions 7.8.4 and 7.6.3. Fortra has not confirmed exploitation in the wild, but similar vulnerabilities in the same product were previously exploited by ransomware actors. Users are advised to update to the patched versions immediately or restrict public access to the GoAnywhere Admin Console. Fortra discovered the vulnerability during a security check on September 11, 2025. The vulnerability was identified in the License Servlet of GoAnywhere MFT. Over 470 GoAnywhere MFT instances are being monitored by the Shadowserver Foundation.

Malware exploitation of Ivanti EPMM vulnerabilities CVE-2025-4427 and CVE-2025-4428

Two sets of malware have been discovered in an unnamed organization's network following the exploitation of vulnerabilities CVE-2025-4427 and CVE-2025-4428 in Ivanti Endpoint Manager Mobile (EPMM). The vulnerabilities were exploited around May 15, 2025, to gain access to the server running EPMM. This allowed attackers to execute arbitrary code, collect system information, download malicious files, and exfiltrate data. The malware sets included loaders that enabled persistence by injecting and running arbitrary code on the compromised server. The attacks leveraged two vulnerabilities: an authentication bypass (CVE-2025-4427) and a remote code execution flaw (CVE-2025-4428). The vulnerabilities affect Ivanti EPMM development branches 11.12.0.4, 12.3.0.1, 12.4.0.1, and 12.5.0.0. The attackers targeted the /mifs/rs/api/v2/ endpoint with HTTP GET requests to send malicious remote commands. The malware sets included distinct loaders with the same name, and malicious listeners for injecting and running arbitrary code. The threat actor delivered the malware through separate HTTP GET requests in segmented, Base64-encoded chunks. CISA provided detailed indicators of compromise (IOCs), YARA rules, and a SIGMA rule to help organizations detect such attacks. CISA recommends patching affected Ivanti EPMM immediately and treating mobile device management (MDM) systems as high-value assets (HVAs).

SilentSync RAT delivered via malicious PyPI packages targeting Python developers

Two malicious packages, sisaws and secmeasure, were discovered in the Python Package Index (PyPI) repository. These packages deliver the SilentSync remote access trojan (RAT) to Windows systems. The trojan is capable of remote command execution, file exfiltration, screen capturing, and extracting web browser data. The packages were uploaded by a user named CondeTGAPIS and have been removed from PyPI. The sisaws package mimics the legitimate sisa package, while secmeasure masquerades as a security library. The trojan is designed to infect Windows systems but also supports Linux and macOS. It communicates with a command and control (C2) server to receive commands and exfiltrate data. The discovery highlights the risk of supply chain attacks within public software repositories.