{"id":14842,"date":"2025-09-23T21:18:59","date_gmt":"2025-09-23T21:18:59","guid":{"rendered":"https:\/\/newestek.com\/?p=14842"},"modified":"2025-09-23T21:18:59","modified_gmt":"2025-09-23T21:18:59","slug":"solarwinds-fixes-web-help-desk-patch-bypass-for-actively-exploited-flaw-again","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14842","title":{"rendered":"SolarWinds fixes Web Help Desk patch bypass for actively exploited flaw \u2014 again"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>SolarWinds has released a third patch for essentially the same critical Java deserialization vulnerability in its Web Help Desk product. The original flaw was first patched in August 2024 with warnings from CISA that it had been exploited in the wild.<\/p>\n<p>\u201cThis vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986,\u201d SolarWinds wrote in its <a href=\"https:\/\/www.solarwinds.com\/trust-center\/security-advisories\/cve-2025-26399\">new advisory<\/a>, which tracks the latest issue as CVE-2025-26399.<\/p>\n<p>While the three CVE IDs are different, they stem from the same bug: an unsafe Java deserialization issue in the AjaxProxy component that can lead to remote code execution without authentication. The flaw is rated with 9.8 out of 10 on the CVSS severity scale.<\/p>\n<p>In programming, serialization is the process of converting data into a stream of bytes, usually to transmit it over the wire. Deserialization reverses that process and, like most data parsing operations, it can be a source of vulnerabilities.<\/p>\n<p>Deserialization flaws most often impact Java applications, but <a href=\"https:\/\/www.csoonline.com\/article\/571087\/apt-group-hits-iis-web-servers-with-deserialization-flaws-and-memory-resident-malware.html\">apps written in other programming languages such as ASP.NET can also be affected<\/a>. These vulnerabilities often result in arbitrary command execution, making them popular with attackers.<\/p>\n<p>Only a few days after CVE-2024-28986 was patched in August 2024, CISA added it to its Known Exploited Vulnerabilities (KEV) catalog, though it\u2019s not clear if the flaw was exploited as a zero-day before the patch was released.<\/p>\n<p>In October 2024, SolarWinds released a new hotfix to address a bypass to its initial fix that was discovered by researchers working with Trend Micro\u2019s Zero Day Initiative (ZDI) program. Almost a year later, researchers working with ZDI found a bypass to the bypass.<\/p>\n<p>\u201cThird time\u2019s the charm?\u201d asked Ryan Dewhurst, head of proactive threat intelligence at watchTowr. \u201cThe original bug was actively exploited in the wild, and while we\u2019re not yet aware of active exploitation of this latest patch bypass, history suggests it\u2019s only a matter of time.\u201d<\/p>\n<p>Patch bypasses are not necessarily rare, especially when dealing with flaws involving unsafe parsing of untrusted user input. That\u2019s because many developers take a blacklist approach to fixing such flaws and will simply block the specific input used in the known proof-of-concept or weaponized exploit.<\/p>\n<p>But that often doesn\u2019t address the root of the problem, leaving other ways to evade the blacklist and reach the same vulnerable part of the code. It\u2019s hard to say how often this happens because many developers will treat a patch bypass as a separate flaw and not disclose it as a bypass.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>SolarWinds has released a third patch for essentially the same critical Java deserialization vulnerability in its Web Help Desk product. The original flaw was first patched in August 2024 with warnings from CISA that it had been exploited in the wild. \u201cThis vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986,\u201d SolarWinds wrote in its new advisory, which&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14842\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14842","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14842","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14842"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14842\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14842"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14842"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14842"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}