CVE-2025-26392 – SolarWinds Observability Self-Hosted contains a... (How to Fix)

Q: What is the severity of CVE-2025-26392?

CVE-2025-26392 has a CVSS score of 5.4 (MEDIUM). SolarWinds Observability Self-Hosted contains a SQL injection vulnerability that allows authenticated low-privilege users to extract sensitive data from the database. This affects organizations running vulnerable versions of SolarWinds Observability Self-Hosted. Attackers need valid low-level credentials to exploit this vulnerability.

📋 TL;DR

SolarWinds Observability Self-Hosted contains a SQL injection vulnerability that allows authenticated low-privilege users to extract sensitive data from the database. This affects organizations running vulnerable versions of SolarWinds Observability Self-Hosted. Attackers need valid low-level credentials to exploit this vulnerability.

💻 Affected Systems

Products:

SolarWinds Observability Self-Hosted

Versions: Versions prior to 2025.4

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authentication with low-privilege account. All default configurations are vulnerable.

📦 What is this software?

Observability Self Hosted by Solarwinds

View all CVEs affecting Observability Self Hosted →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with low-privilege credentials could extract sensitive database information including credentials, configuration data, or monitoring data, potentially leading to further system compromise.

🟠

Likely Case

An authenticated user could extract limited sensitive data from the database, potentially exposing configuration details or monitoring information.

🟢

If Mitigated

With proper access controls and monitoring, exploitation would be detected and limited to authorized low-privilege users with legitimate access.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access with low-privilege credentials. No public exploit code available at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2025.4 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26392

Restart Required: No

Instructions:

1. Download SolarWinds Observability Self-Hosted version 2025.4 or later from SolarWinds customer portal. 2. Follow standard upgrade procedures for your deployment. 3. Verify successful upgrade and test functionality.

🔧 Temporary Workarounds

Restrict Low-Privilege Account Access

all

Temporarily restrict or disable low-privilege accounts until patching can be completed.

🧯 If You Can't Patch

Implement strict network segmentation to isolate SolarWinds Observability systems from sensitive networks.
Enhance monitoring of database queries from low-privilege accounts and implement alerting for suspicious SQL patterns.

🔍 How to Verify

Check if Vulnerable:

Check current version in SolarWinds Observability Self-Hosted web interface under Help > About. If version is earlier than 2025.4, system is vulnerable.

Check Version:

Check web interface at Help > About or consult SolarWinds documentation for CLI version check commands specific to your deployment.

Verify Fix Applied:

After upgrading, verify version shows 2025.4 or later in Help > About. Test functionality to ensure no regression issues.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns from low-privilege accounts
Multiple failed SQL injection attempts in application logs
Unexpected database access from application accounts

Network Indicators:

Unusual database query patterns from application servers
Multiple similar SQL requests in short timeframes

SIEM Query:

source="solarwinds-observability" AND (sql_injection OR sql_error OR "sql syntax") AND user="low_privilege_account"

📊 Metadata

CVE ID: CVE-2025-26392

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-89

EPSS Score: 0.16% exploit probability (36.9th percentile)

Published: October 21, 2025

Last Updated: November 12, 2025

🔗 References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/hco_2025-4_release_notes.htm Release Notes
https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26392 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26392, you might also want to check these: