CVE-2025-26391
📋 TL;DR
SolarWinds Observability Self-Hosted contains a cross-site scripting (XSS) vulnerability in user-created URL fields that allows authenticated low-privilege users to inject malicious scripts. When exploited, this could enable attackers to steal session cookies, perform actions as other users, or deface the application. Organizations running affected SolarWinds self-hosted deployments are vulnerable.
💻 Affected Systems
- SolarWinds Observability Self-Hosted
- SolarWinds Platform
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could steal administrator session cookies, gain full administrative access to the SolarWinds platform, pivot to other systems, and potentially compromise the entire monitoring infrastructure.
Likely Case
Low-privilege authenticated users could steal session cookies from other users, perform unauthorized actions within the application, or redirect users to malicious sites.
If Mitigated
With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution while maintaining URL functionality.
🎯 Exploit Status
Exploitation requires authenticated access with any user account. The vulnerability is in user-controlled URL fields where malicious JavaScript can be injected.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.4.1
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26391
Restart Required: Yes
Instructions:
1. Download SolarWinds Platform 2025.4.1 from the SolarWinds customer portal. 2. Backup your current installation and database. 3. Run the installer with administrative privileges. 4. Follow the upgrade wizard. 5. Restart SolarWinds services after completion.
🔧 Temporary Workarounds
Input Validation Enhancement
allImplement additional input validation on URL fields to reject or sanitize JavaScript content
Content Security Policy
allImplement strict Content Security Policy headers to mitigate XSS impact
🧯 If You Can't Patch
- Restrict user permissions to minimize who can create/modify URL fields
- Implement web application firewall rules to detect and block XSS payloads in URL parameters
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds Platform version in the web interface under Help > About. If version is earlier than 2025.4.1, the system is vulnerable.Check Version:
In SolarWinds web interface: Navigate to Help > About to view version informationVerify Fix Applied:
After patching, verify the version shows 2025.4.1 or later. Test URL fields by attempting to inject basic XSS payloads like <script>alert('test')</script> and confirm they are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual URL parameter values containing script tags or JavaScript code
- Multiple failed XSS attempts in web server logs
- Suspicious user activity from low-privilege accounts
Network Indicators:
- HTTP requests with suspicious parameters containing script tags or JavaScript
- Unusual outbound connections from SolarWinds server following user interactions
SIEM Query:
source="solarwinds_web_logs" AND (url="*<script>*" OR url="*javascript:*" OR param="*onerror=*" OR param="*onload=*")