SolarWinds Observability Self-Hosted 2025.4.1 release notes
Release date: November 18, 2025
Here's what's new in SolarWinds Observability Self-Hosted 2025.4.1. You can find the applicable system requirements here.
To view release notes, system requirements, and product guide PDFs for supported versions of SolarWinds Observability Self-Hosted, see SolarWinds Observability Self-Hosted previous versions. To view release notes for multiple versions
SolarWinds Observability Self-Hosted runs on the SolarWinds Platform (self-hosted). SolarWinds Observability Self-Hosted release notes include the updates from the SolarWinds Platform (self-hosted).
New features and improvements in SolarWinds Platform
Cloud Discovery in Settings
You can now discover and edit your cloud infrastructure directly from the Settings menu. Click Settings > Cloud Discovery to begin.
New features and improvements in SolarWinds Observability Self-Hosted Essentials
The following features are exclusive to customers with a SolarWinds Observability Self-Hosted license.
Additional updates
-
Improved security controls related to SNMP credentials.
Fixed CVEs
At SolarWinds, we prioritize the swift resolution of CVEs to ensure the security and integrity of our software. In this release, we have successfully addressed the following CVEs.
SolarWinds CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2025-40545 | SolarWinds Observability Self-Hosted Open Redirection Vulnerability | SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required. | 4.8 Medium | Frédéric Goossens |
| CVE-2025-26391 | SolarWinds Observability Self-Hosted XSS Vulnerability | SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. | 5.4 Medium | The KPN REDteam |
Third-party CVEs
| CVE-ID | Vulnerability title | Description | Severity |
|---|---|---|---|
| CVE-2024-13009 | Eclipse Jetty Information Disclosure | In Eclipse Jetty versions 9.4.0 to 9.4.56 a buffer can be incorrectly released when confronted with a gzip error when inflating a request body. This can result in corrupted and/or inadvertent sharing of data between requests. | 7.2 High |
| CVE-2024-12798 | Logback-core Expression Language Injection vulnerability | ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment variable before program execution. Malicious logback configuration files can allow the attacker to execute arbitrary code using the JaninoEventEvaluator extension. A successful attack requires the user to have write access to a configuration file. Alternatively, the attacker could inject a malicious environment variable pointing to a malicious configuration file. In both cases, the attack requires existing privilege | 5.9 Medium |
| CVE-2024-12801 | Logback-core Server-Side Request Forgery | Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE declaration in XML configuration files. | 2.4 Low |
| CVE-2024-47072 | Xstream Denial of Service Vulnerability | XStream is a simple library to serialize objects to XML and back again. This vulnerability may allow a remote attacker to terminate the application with a stack overflow error resulting in a denial of service only by manipulating the processed input stream when XStream is configured to use the BinaryStreamDriver. XStream 1.4.21 has been patched to detect the manipulation in the binary input stream causing the the stack overflow and raises an InputManipulationException instead. Users are advised to upgrade. Users unable to upgrade may catch the StackOverflowError in the client code calling XStream if XStream is configured to use the BinaryStreamDriver. | 7.5 Medium |
| CVE-2024-6763 | Eclipse Jetty Server-Side Request Forgery | Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks. | 3.7 Low |
| CVE-2024-8184 | Eclipse Jetty Denial of Service Vulnerability | There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory. | 5.9 Medium |
Fixed customer issues
| Case number | Description | Platform product |
|---|---|---|
| 01995892 | An issue has been fixed that caused an agent's status to be reported incorrectly after the agent reconnected. | Platform |
| 02028762 | Device Inventory can no longer be accessed by a limited user, and a Device Tracker Inventory Pages limitation has been added. Users without the required permissions will see a Restricted page message if they attempt to access the view. |
UDT |
| N/A | Users without proper permissions can no longer post data to Discovery.asmx service methods (Discovery.asmx/AddDeviceWatchList or Discovery.asmx/EditDeviceWatchList). |
UDT |
| 02029352 | Cisco Meraki MS150-24MP-4X and Cisco Meraki MS130-8P-I are now correctly detected and classified. Previously, these Meraki device models were not recognized under known machine types. The database has been updated to include additional models from the latest MIB to ensure accurate device identification. |
NPM |
| 02017191 | Data about SD-WAN tunnels is no longer missing for VeloCloud devices. The polling logic has been improved to correctly handle empty public IPv6 address values, ensuring that tunnel statistics and status information are collected. |
NPM |
| 02021525 | When you create a custom report that includes a SAM chart such as User and Computer Events on the Node, editing a time period (such as the Default zoom range) no longer causes previews to fail with the following error:
|
Platform |
| 01988198 | Active Alert widgets and the Active Alerts page no longer load data slowly. | EOC |
| 02028979, 02029241, 02029663, 02033290 | An issue that caused upgrades to fail with errors such as the following was fixed:
|
NPM |
| 02015985 | The Topology Calculator no longer results in excessive CPU utilization in large environments. The calculation logic has been optimized to consume fewer resources while maintaining performance. | NPM |
| N/A | Adding a SolarWinds Site that has Windows authentication enabled no longer fails with the following message:
|
EOC |
| 01956300 | When you monitor Azure Virtual Network Gateways, monitoring no longer fails when SolarWinds Observability Self-Hosted is deployed behind authenticated proxy servers and does not have direct access to login.microsoftonline.com. |
NPM |
| 01947043 | Newly added Prisma SD-WAN nodes are no longer incorrectly shown as Down because an older API endpoint did not accurately detect the status. Polling has been updated to use a newer API endpoint, and the status is accurately reported. |
NPM |
| 00743703, 00972181 | Host header verification has been implemented to prevent host header attacks. | Platform |
Installation or upgrade
For new SolarWinds Platform deployments, download the installation file from the product page on https://www.solarwinds.com or from the Customer Portal. For more information, see Get the installer.
To activate your product in an existing SolarWinds Platform deployment, use the License Manager.
For upgrades, go to Settings > My Deployment to initiate the upgrade. The SolarWinds Installer upgrades your entire deployment (all SolarWinds Platform products and any scalability engines).
For more information, see the SolarWinds Platform Product Installation and Upgrade Guide.
For supported upgrade paths, see Upgrade an existing deployment.
End of life
| Version | EoL announcement | EoE effective date | EoL effective date |
|---|---|---|---|
| 2023.4 | October 21, 2025: End-of-Life (EoL) announcement – Customers on SolarWinds Observability Self-Hosted version 2023.4 or earlier should begin transitioning to the latest version of SolarWinds Observability Self-Hosted. | November 20, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Observability Self-Hosted version 2023.4 or earlier will no longer actively be supported by SolarWinds. | November 20, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Observability Self-Hosted version 2023.4. |
| 2023.3 | October 21, 2025: End-of-Life (EoL) announcement – Customers on SolarWinds Observability Self-Hosted version 2023.3 or earlier should begin transitioning to the latest version of SolarWinds Observability Self-Hosted. | November 20, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Observability Self-Hosted version 2023.3 or earlier will no longer actively be supported by SolarWinds. | November 20, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Observability Self-Hosted version 2023.3. |
| 2023.2 | June 10, 2025: End-of-Life (EoL) announcement – Customers on SolarWinds Observability Self-Hosted version 2023.2 or earlier should begin transitioning to the latest version of SolarWinds Observability Self-Hosted. | July 10, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Observability Self-Hosted version 2023.2 or earlier will no longer actively be supported by SolarWinds. | July 10, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Observability Self-Hosted version 2023.2. |
| 2023.1 | February 11, 2025: End-of-Life (EoL) announcement – Customers on SolarWinds Observability Self-Hosted version 2023.1 or earlier should begin transitioning to the latest version of SolarWinds Observability Self-Hosted. | March 13, 2025: End-of-Engineering (EoE) – Service releases, bug fixes, workarounds, and service packs for SolarWinds Observability Self-Hosted version 2023.1 or earlier will no longer actively be supported by SolarWinds. | March 13, 2026: End-of-Life (EoL) – SolarWinds will no longer provide technical support for SolarWinds Observability Self-Hosted version 2023.1. |
See the End of Life Policy for information about SolarWinds product life cycle phases. To see EoL dates for earlier SolarWinds Observability Self-Hosted versions, see SolarWinds Observability Self-Hosted release history.
Deprecation notice
The following platforms and features are still supported in the current release. However, they will be unsupported in a future release. Plan on upgrading deprecated platforms, and avoid using deprecated features.
SQL Server 2016
SQL Server 2016 is deprecated as of 2025.2. It is still available and supported in the current release, but will be removed in a future release. Consider using SQL Server 2017 or later.
Network Atlas
Network Atlas is deprecated as of Orion Platform 2020.2. It is still available and supported in the current release, but will be removed in a future release. Deprecation is an indication that you should avoid expanded use of this feature and formulate a plan to discontinue using the feature. SolarWinds recommends that you start using Intelligent Maps in the SolarWinds Platform Web Console to display maps of physical and logical relationships between entities monitored by the SolarWinds Platform products you have installed.
Starting with 2024.2, you can import Network Atlas maps to Intelligent Maps. See Import maps.
Legal notices
© 2025 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.