Vulnerability Management, Patch/Configuration Management, Exposure management, Application security

SolarWinds releases fix for second patch bypass of exploited RCE flaw

(Adobe Stock)

(Adobe Stock)

SolarWinds released a third patch related to a critical remote code execution (RCE) flaw in SolarWinds Web Help Desk, which came under active exploitation in August 2024.

The newly discovered flaw, tracked as CVE-2025-26399, which was added to the National Vulnerability Database (NVD) on Tuesday, bypasses the patch for a previous flaw that bypassed the patch for the RCE flaw tracked as CVE-2024-28986.

“In its third iteration of patching, only time will tell whether or not this flaw is in attackers’ crosshairs and will see exploitation,” Scott Caveza, senior staff research engineer at Tenable, told SC Media in an email.

CVE-2024-28986 is a critical Java deserialization vulnerability in SolarWinds Web Help Desk that could enable an attacker to run commands on the host machine. The flaw, which has a CVSS score of 9.8, was added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog on Aug. 15, 2025.

In October 2024, SolarWinds released a hotfix for a bypass of the original patch for CVE-2024-28986. The patch bypass flaw, tracked as CVE-2024-28988, was discovered by the Trend Micro Zero Day Initiative (ZDI) team, which was able to produce an unauthenticated attack during testing. However, CVE-2024-28988 is not known to have been exploited in the wild.

The latest fix addresses a bypass of the patch for CVE-2024-28988, which in turn could enable exploitation of the original RCE flaw CVE-2024-28986. The issue affects SolarWinds Web Help Desk 12.8.7 and all previous versions and can be addressed by installing the hotfix 12.8.7 HF1.

“Given the history of SolarWinds vulnerabilities and the opportunistic nature of attackers, we suggest immediate patching prior to exploit code being publicly released or active exploitation by nefarious actors,” said Caveza, noting the company’s previous high-profile supply chain breach in 2020 and exploitation of a zero-day in its Serv-U Managed File Transfer software in 2021.

Related

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

BannerBotnetCache CrammingCookieCorruptionCovert ChannelsDarknetDeepfakeDefacementDisruption

You can skip this ad in 5 seconds