The IT Nerd

The CISA and NVD have published a new critical vulnerability affecting SolarWinds Web Help Desk tracked as CVE-2025-26399 which involves deserialization of untrusted data that could allow remote code execution.

What makes this vulnerability particularly notable is that it appears to be a bypass of a previous SolarWinds patch
tracked as CVE-2024-28988 which itself was a bypass of an earlier fix which was tracked as CVE-2024-28986. Security researchers are already pointing out that this creates a concerning pattern of patch bypasses tied to the same vulnerability class.

Bobby Kuzma, Director of Offensive Cyber Operations, ProCircular

“The newly disclosed CVE-2025-26399 vulnerability in SolarWinds Web Help Desk is especially troubling because it appears to be a patch bypass of a previous critical flaw — which itself was already a bypass of an earlier patch for essentially the same vulnerability class. When vulnerabilities repeatedly reappear through patch bypasses, it suggests the underlying root cause may not have been fully addressed. As security professionals sometimes joke, if developers are being forced to patch just enough to break the exploit instead of fixing the root issue, they should blink twice and we’ll send help. The humor reflects a real problem: partial fixes can leave organizations exposed to the next iteration of the same flaw.”

SolarWinds related vulnerabilities just will not seem to die. That’s bad for anyone who is responsible for defending organizations as their lives will be pretty miserable.

Well, this isn’t good in terms of accountability.

A U.S. judge dismissed most of a Securities and Exchange Commission lawsuit accusing software company SolarWinds of defrauding investors by concealing its security weaknesses before and after a Russia-linked cyberattack targeting the U.S. government. You can read the decision here.

John Gunn, CEO, Token had this to say:

The backdrop to this ruling is the recent SCOTUS decision in Loper that overturned the Chevron deference and placed a greater burden on regulatory agencies, including the SEC, to more clearly define regulatory requirements and to move decisions on penalties from agencies to the courts. 

Anyone who sees this as SolarWinds being relieved from the consequences of their actions is overlooking the $26 million they paid to settle the shareholder class action lawsuit resulting from this incident and the staggering $2 billion loss in company value they have suffered since the incident was disclosed. These financial penalties have the biggest impact on other organizations’ motivation to pursue more stringent cybersecurity protections and disclosures.

While SolarWinds did pay a financial price for this hack, I really think that this isn’t enough. Legal accountability has to be layered on top of this as a financial accountability will simply become a cost to doing business. That doesn’t happen with legal accountability. Hopefully this gets appealed.

SolarWinds reports that a high-severity flaw in SolarWinds Serv-U file transfer software exists and should be patched ASAP:

Summary

SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.

Affected Products

SolarWinds Serv-U 15.4.2 HF 1 and previous versions 

Fixed Software Release

SolarWinds Serv-U 15.4.2 HF 2

Here’s why it should be patched ASAP. Threat actors are currently using it to launch attacks:

Threat actors are actively exploiting a SolarWinds Serv-U path-traversal vulnerability, leveraging publicly available proof-of-concept (PoC) exploits.

Although the attacks do not appear particularly sophisticated, the observed activity underscores the risk posed by unpatched endpoints, emphasizing the urgent need for administrators to apply the security updates.

Rogier Fischer, CEO and Co-Founder, Hadrian had this comment:

“Exploiting this vulnerability can lead to significant issues such as unauthorized data access, resulting in potential data breaches and non-compliance with regulations, from GDPR to HIPAA. Financial implications are considerable, involving not only the costs of incident response and mitigation but also regulatory fines and legal actions from affected customers. In an idea world, organizations utilizing this software would have applied the patch already, considering how big the earlier SolarWinds fiasco was.”

This is another one of those times where you need to drop everything and patch away. Seeing as this exploit is out there and being used by threat actors, you really have no other choice.

The CISO of Solarwinds is getting a lesson in cybersecurity from the SEC as Timothy G. Brown has been charged by the SEC in relation to that epic hack that Solarwinds had in 2020 that had long lasting repercussions:

The Securities and Exchange Commission brought charges against both Austin, TX-based information security software company SolarWinds and its CISO Timothy G. Brown on October 30. The SEC alleges Brown committed fraud and failed to address known internal security issues, eventually leading to the massive Sunburst cybersecurity attack against the U.S. federal government in December 2020.

And:

The SEC alleges that between SolarWinds’ October 2018 initial public offering and the December 2020 announcement of the large-scale cyberattack, SolarWinds and Brown specifically ” … defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”

SolarWinds personnel, including Brown, made internal assessments that were at odds with the company’s promises to its customers, the SEC said. A presentation in 2018 made by a company engineer found SolarWinds’ remote access setup to be “not very secure,” which could lead to exploitation in which an attacker “can basically do whatever without us detecting it until it’s too late,” the SEC found.

“The volume of security issues being identified over the last month have (sic) outstripped the capacity of Engineering teams to resolve,” a September 2020 internal document presented to Brown stated, according to the SEC.

Those issues included basic security best practices such as not using default passwords.

On some products, default passwords such as “password” remained in place. The password “solarwinds123” was also in use, the SEC filing said.

The SEC alleges that SolarWinds didn’t disclose the full extent of the Sunburst cybersecurity incident on Dec. 14, 2020. SolarWinds had filed a Form 8-K on that date; that is the form the SEC requires organizations to fill out in order to formally notify investors in the event of a significant event. After SolarWinds filed the Form 8-K on December 14, SolarWinds’ stock dropped 25% in two days and 35% by the end of December.

With the usual disclaimer of none of this has been proven in court, this is pretty bad if it does get proven in court. Chris Clymer, CISO, Inversion6 had this comment:

This latest SEC charge against SolarWinds CISO comes on the heels of two other highly related pieces of news. The first is the SEC’s recent guidance requiring strong board oversight of security and rapid disclosure of breaches. The second is the at-the-time unprecedented charging of Uber’s CISO over their own breach.

The security community has fixated on the breach disclosure element of the SEC guidance, but I find the governance piece more interesting. Especially because of what the SEC did NOT do: Namely, define exactly what would be “material” enough to require disclosure, or provide any guidance whatsoever into appropriate controls.  Similarly, with this SolarWinds news the security community is scratching its collective head trying to understand just what degree of disclosure is needed over everyday vulnerabilities that every company has. In the case of the Uber breach, the CISO actively participated in a cover-up of identified risks, even altering reports of findings to better fit the narrative the company wished to portray to the public. With SolarWinds, it appears from the outside to be very similar to the situation most CISOs face with known vulnerabilities, and only so many resources to address them. Is there a risk rating the SEC wants us to target? A particular CVSS score? I think these details all miss the bigger picture.

I would argue that the consternation among CISOs and other executives and confusion about where the line lies is exactly what the SEC hoped to see. The message they are sending here has nothing to do with the day-to-day operations of a security program. To me, the message is simple: Don’t let a breach like SolarWinds experienced happen on your watch. If it does, the executive team will be scrutinized and held accountable…and most likely, there will be deficiencies to find. If you want to avoid a debate about what is truly “material” then avoid having a breach…”simple”.

While this feels grim and unrealistic to CISOs who all agree that it’s a matter of “when” not “if” a breach happens, it’s not unprecedented. Companies who take credit cards have long had to meet the bar of PCI compliance, and undergo regular audits to prove this. And yet, if credit cards are believed to have been breached they undergo a MUCH more aggressive “PCI Forensic Investigation” that proves virtually 100% of the time that the company was actually NOT fully PCI compliant at the time of the breach. This unfair standard has pushed these companies to invest greatly in new technologies like tokenization to greatly diminish the opportunities for credit card exposure…and credit card breaches have dropped dramatically as a result.

This should be a wake up call to anyone who is in a position of responsibility when it comes to cybersecurity. Get your act together and make sure that your organization’s security is on point. Or else bad things will happen to you. Just like it has happened to this guy.