CVE-2025-26399 (CVSS 9.8) is an unauthenticated AjaxProxy deserialization remote code execution vulnerability that can allow attackers to execute commands on the host. The flaw functions as a patch bypass of CVE-2024-28988, which itself bypassed CVE-2024-28986. CVE-2024-28986 was a Java deserialization RCE reported exploitable without authentication and was observed as exploited only days after an August 2024 hotfix. A subsequent hotfix removed hardcoded credentials tied to CVE-2024-28987. Mid-October updates addressed CVE-2024-28988 after CISA warned of credential exploitation. An anonymous researcher working with Trend Micro ZDI discovered CVE-2025-26399. Users are advised to apply the hotfix promptly due to critical severity.
""This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986," SolarWinds notes in an advisory released last week. The original security defect, tracked as CVE-2024-28986 (CVSS score of 9.8), a Java deserialization RCE bug that was reported as being exploitable without authentication, was flagged as exploited only days after SolarWinds released a hotfix in August 2024."
"In mid-October 2024, on the same day the US cybersecurity agency CISA warned that the hardcoded credentials had been exploited in attacks, SolarWinds announced a third hotfix that also resolves CVE-2024-28988 (CVSS score of 9.8), another Java deserialization RCE in the AjaxProxy. "This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research, SolarWinds said at the time."
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]