SolarWinds Makes Third Attempt at Patching Exploited Vulnerability

223

•

SolarWinds Makes Third Attempt at Patching Exploited Vulnerability (www.securityweek.com)

From the post:

>The newly disclosed bug, tracked as CVE-2025-26399 (CVSS score of 9.8), is described as an unauthenticated AjaxProxy deserialization RCE flaw that could allow attackers to execute commands on the host machine. “This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986,” SolarWinds notes in an advisory released last week. The original security defect, tracked as CVE-2024-28986 (CVSS score of 9.8), a Java deserialization RCE bug that was reported as being exploitable without authentication, was flagged as exploited only days after SolarWinds released a hotfix in August 2024.

Archive: https://archive.today/qUV0F From the post: >>The newly disclosed bug, tracked as CVE-2025-26399 (CVSS score of 9.8), is described as an unauthenticated AjaxProxy deserialization RCE flaw that could allow attackers to execute commands on the host machine. “This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986,” SolarWinds notes in an advisory released last week. The original security defect, tracked as CVE-2024-28986 (CVSS score of 9.8), a Java deserialization RCE bug that was reported as being exploitable without authentication, was flagged as exploited only days after SolarWinds released a hotfix in August 2024.

(post is archived)