Article Details

Third time's the charm? SolarWinds (again) patches critical Web Help Desk RCE. Or maybe 3 strikes, you're out?. SolarWinds on Tuesday released a hotfix - again - for a critical, 9.8-severity flaw in its Web Help Desk IT ticketing software that could allow a remote, unauthenticated attacker to run commands on a host machine.  This is the third time the vendor has tried to fix this flaw, an unauthenticated, AJAXproxy deserialization remote code execution (RCE) bug in its Web Help Desk ticketing and asset management software. "This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986," SolarWinds noted in its Tuesday release. Criminals exploited both of those earlier vulnerabilities. It all started in mid-August 2024, when the software maker released a hotfix for CVE-2024-28986, a critical (9.8 CVSS) deserialization RCE vulnerability in Web Help Desk. CISA later added this flaw to its Known Exploited Vulnerabilities catalog. Then in October 2024, SolarWinds disclosed and tried to patch CVE-2024-28988, another 9.8-rated Web Help Desk Java deserialization RCE bug, which Trend Micro's Zero Day Initiative (ZDI) spotted while researching CVE-2024-28986. "The ZDI team was able to discover an unauthenticated attack during their research," SolarWinds said at the time. And that brings us to CVE-2025-26399, the new vuln. "Anonymous," working with ZDI, is also credited with finding and reporting this flaw to SolarWinds. A SolarWinds spokesperson told The Register that the company is not aware of any exploitation as of yet. However, as threat intel firm watchTowr warned on social media: "Given SolarWinds' past, in-the-wild exploitation is highly likely. Patch now." SolarWinds is widely known for the backdoor Russian actors maliciously added to its Orion suite in a supply-chain attack back in 2020. "SolarWinds is a name that needs no introduction in IT and cybersecurity circles," Ryan Dewhurst, head of proactive threat intelligence at watchTowr, told The Register. "The infamous 2020 supply chain attack, attributed to Russia's Foreign Intelligence Service (SVR), allowed months-long access into multiple Western government agencies and left a lasting mark on the industry." In 2024, the software vendor twice tried to patch the newer unauthenticated remote deserialization vulnerability, he noted. "And now, here we are with yet another patch (CVE-2025-26399) addressing the very same flaw," Dewhurst said. "Third time's the charm?"