SolarWinds has launched sizzling fixes to deal with a crucial safety flaw impacting its Net Assist Desk software program that, if efficiently exploited, might permit attackers to execute arbitrary instructions on inclined techniques.
The vulnerability, tracked as CVE-2025-26399 (CVSS rating: 9.8), has been described for instance of deserialization of untrusted knowledge that would lead to code execution. It impacts SolarWinds Net Assist Desk 12.8.7 and all earlier variations.
“SolarWinds Net Assist Desk was discovered to be inclined to an unauthenticated AjaxProxy deserialization distant code execution vulnerability that, if exploited, would permit an attacker to run instructions on the host machine,” SolarWinds stated in an advisory launched on September 17, 2025.
An nameless researcher working with the Development Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw.
SolarWinds stated CVE-2025-26399 is a patch bypass for CVE-2024-28988 (CVSS rating: 9.8), which, in flip, is a bypass for CVE-2024-28986 (CVSS rating: 9.8) that was initially addressed by the corporate again in August 2024.
“This vulnerability permits distant attackers to execute arbitrary code on affected installations of SolarWinds Net Assist Desk. Authentication isn’t required to take advantage of this vulnerability,” in accordance with a ZDI advisory for CVE-2024-28988.
“The particular flaw exists throughout the AjaxProxy. The problem outcomes from the shortage of correct validation of user-supplied knowledge, which can lead to deserialization of untrusted knowledge. An attacker can leverage this vulnerability to execute code within the context of SYSTEM.”
Whereas there isn’t any proof of the vulnerability being exploited within the wild, customers are suggested to replace their cases to SolarWinds Net Assist Desk 12.8.7 HF1 for optimum safety.
That stated, it is value emphasizing that the unique bug CVE-2024-28986 was added to the Identified Exploited Vulnerabilities (KEV) catalog by the U.S. Cybersecurity and Infrastructure Safety Company (CISA) shortly after public disclosure. There’s presently no data publicly out there on the character of the assaults weaponizing the bug.
“SolarWinds is a reputation that wants no introduction in IT and cybersecurity circles. The notorious 2020 provide chain assault, attributed to Russia’s Overseas Intelligence Service (SVR), allowed months-long entry into a number of Western authorities companies and left an enduring mark on the business,” Ryan Dewhurst, head of proactive risk intelligence at watchTowr, stated in an announcement.
“Quick ahead to 2024: an unauthenticated distant deserialization vulnerability (CVE-2024-28986) was patched… then patched once more (CVE-2024-28988). And now, right here we’re with one more patch (CVE-2025-26399) addressing the exact same flaw.
“Third time’s the allure? The unique bug was actively exploited within the wild, and whereas we’re not but conscious of energetic exploitation of this newest patch bypass, historical past suggests it is solely a matter of time.”
