""This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986," SolarWinds notes in an advisory released last week. The original security defect, tracked as CVE-2024-28986 (CVSS score of 9.8), a Java deserialization RCE bug that was reported as being exploitable without authentication, was flagged as exploited only days after SolarWinds released a hotfix in August 2024."
"In mid-October 2024, on the same day the US cybersecurity agency CISA warned that the hardcoded credentials had been exploited in attacks, SolarWinds announced a third hotfix that also resolves CVE-2024-28988 (CVSS score of 9.8), another Java deserialization RCE in the AjaxProxy. "This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research, SolarWinds said at the time."
CVE-2025-26399 (CVSS 9.8) is an unauthenticated AjaxProxy deserialization remote code execution vulnerability that can allow attackers to execute commands on the host. The flaw functions as a patch bypass of CVE-2024-28988, which itself bypassed CVE-2024-28986. CVE-2024-28986 was a Java deserialization RCE reported exploitable without authentication and was observed as exploited only days after an August 2024 hotfix. A subsequent hotfix removed hardcoded credentials tied to CVE-2024-28987. Mid-October updates addressed CVE-2024-28988 after CISA warned of credential exploitation. An anonymous researcher working with Trend Micro ZDI discovered CVE-2025-26399. Users are advised to apply the hotfix promptly due to critical severity.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]