"Tracked as CVE-2025-26399, the bug bypasses a fix for a previous flaw, CVE-2024-28988, which was discovered and disclosed by Guy Lederfein of Trend Micro Security Research 12 months ago, in September 2024. However, in a twist reminiscent of the nursery rhyme about old ladies swallowing spiders to catch flies, CVE-2024-28988 itself bypassed a fix for a third issue, CVE-2024-28986. Like the preceeding vulnerabilities, the latest issue once again takes the form of an unauthenticated AjaxProxy deserialisation RCE vulnerability."
"Computer Weekly understands that there is currently no evidence of any threat actors having exploited CVE-2025-26399 in the wild. However, SolarWinds' Web Help Desk tool is in extensive use at major enterprises and government and public sector bodies alike, and the earlier 'versions' of the new flaw were considered serious enough to be added to the Known Exploited Vulnerabilities catalogue run by the US' Cybersecurity and Infrastructure Security Agency (CISA)."
SolarWinds has issued a patch for an unauthenticated AjaxProxy deserialisation remote code execution vulnerability tracked as CVE-2025-26399 and included in a hotfix for Web Help Desk version 12.8.7. The vulnerability bypasses a fix for CVE-2024-28988, which previously bypassed a fix for CVE-2024-28986, forming a chain of related bypasses. Successful exploitation can allow an attacker to run commands on the host machine. There is currently no evidence of exploitation in the wild, but widespread enterprise and government use and prior additions to CISA's Known Exploited Vulnerabilities catalogue increase urgency and the likelihood of targeting.
Read at ComputerWeekly.com
Unable to calculate read time
Collection
[
|
...
]