"SolarWinds on Tuesday released a hotfix - again - for a critical, 9.8-severity flaw in its Web Help Desk IT ticketing software that could allow a remote, unauthenticated attacker to run commands on a host machine. This is the third time the vendor has tried to fix this flaw, an unauthenticated, AJAXproxy deserialization remote code execution (RCE) bug in its Web Help Desk ticketing and asset management software."
""This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986," SolarWinds noted in its Tuesday release. Criminals exploited both of those earlier vulnerabilities. It all started in mid-August 2024, when the software maker released a hotfix for CVE-2024-28986, a critical (9.8 CVSS) deserialization RCE vulnerability in Web Help Desk. CISA later added this flaw to its Known Exploited Vulnerabilities catalog."
""Anonymous," working with ZDI, is also credited with finding and reporting this flaw to SolarWinds. A SolarWinds spokesperson told The Register that the company is not aware of any exploitation as of yet. However, as threat intel firm watchTowr warned on social media: "Given SolarWinds' past, in-the-wild exploitation is highly likely. Patch now." SolarWinds is widely known for the backdoor Russian actors maliciously added to its Orion suite in a supply-chain attack back in 2020."
SolarWinds released another hotfix addressing a critical 9.8-severity deserialization remote code execution vulnerability in Web Help Desk that can permit remote, unauthenticated command execution. The vulnerability is an AJAXproxy deserialization RCE and represents a patch bypass of earlier CVE-2024-28988 and CVE-2024-28986 fixes. The initial hotfix for CVE-2024-28986 was issued in mid-August 2024 and was added to CISA's Known Exploited Vulnerabilities catalog. Trend Micro's Zero Day Initiative discovered CVE-2024-28988 in October 2024. The new CVE-2025-26399 was reported by "Anonymous" with ZDI. No confirmed exploitation is reported, but threat intelligence warns in-the-wild attacks are likely and urges immediate patching.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]