CVE-2025-26397
📋 TL;DR
SolarWinds Observability Self-Hosted has a deserialization vulnerability that allows authenticated low-privilege users to escalate privileges locally. Attackers can execute malicious files in protected folders after gaining initial access. Organizations running vulnerable versions of SolarWinds Observability Self-Hosted are affected.
💻 Affected Systems
- SolarWinds Observability Self-Hosted
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the SolarWinds server with SYSTEM/root privileges, enabling lateral movement, data theft, and persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, and access sensitive monitoring data.
If Mitigated
Limited impact due to proper access controls, network segmentation, and monitoring preventing initial low-privilege access.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of the target system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2.1
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-26397
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Download SolarWinds Platform 2025.2.1 from SolarWinds Customer Portal. 3. Run installer with administrative privileges. 4. Follow upgrade wizard. 5. Restart services as prompted.
🔧 Temporary Workarounds
Restrict Local Access
allLimit local login capabilities to only necessary administrative accounts
Implement Least Privilege
allReview and minimize low-privilege accounts with access to SolarWinds systems
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SolarWinds servers from general user networks
- Deploy application allowlisting to prevent execution of unauthorized files in protected folders
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds version in web interface under Settings > All Settings > Product InformationCheck Version:
On Windows: Get-ItemProperty HKLM:\SOFTWARE\SolarWinds\Orion\ -Name Version | Select-Object VersionVerify Fix Applied:
Verify version shows 2025.2.1 or later after patching📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation events in Windows Event Logs or Linux audit logs
- Unexpected file creation in protected SolarWinds directories
- Suspicious process execution from low-privilege accounts
Network Indicators:
- Unusual outbound connections from SolarWinds servers
- Anomalous authentication patterns to SolarWinds interfaces
SIEM Query:
source="windows_security" EventCode=4672 AND AccountName!="SYSTEM" AND AccountName!="LOCAL SERVICE" AND AccountName!="NETWORK SERVICE"