SolarWinds Platform 2025.2.1 release notes
Release date: July 24, 2025
Last updated: August 22, 2025
Fixed customer issues: August 22, 2025
SolarWinds Platform 2025.2.1 is a service release providing bug and security fixes for release 2025.2. For information about the SolarWinds Platform release, including EOL notices and upgrade information, see SolarWinds Platform 2025.2 Release Notes.
Fixed CVEs
At SolarWinds, we prioritize the swift resolution of CVEs to ensure the security and integrity of our software. In this release, we have successfully addressed the following CVEs.
SolarWinds CVEs
SolarWinds would like to thank our Security Researchers below for reporting on the issue in a responsible manner and working with our security, product, and engineering teams to fix the vulnerability.
| CVE-ID | Vulnerability Title | Description | Severity | Credit |
|---|---|---|---|---|
| CVE-2025-26397 | SolarWinds Observability Deserialization of Untrusted Data Local Privilege Escalation Vulnerability | SolarWinds Observability Self-Hosted is susceptible to the Deserialization of Untrusted Data Local Privilege Escalation Vulnerability. An attacker with low privilege can escalate privileges to run malicious files copied to permission protected folder. This vulnerability requires authentication from a low-level account and local access to the host server. | 7.8 High | ccc working with the Trend Micro Zero Day Initiative |
Third-party CVEs
| CVE-ID | Vulnerability title | Description | Severity |
|---|---|---|---|
| CVE-2024-12797 | OpenSSL OpenSSL Man-in-the-Middle (MITM) vulnerability | Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER. Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected. This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. | 6.3 Medium |
| CVE-2024-9143 | OpenSSL Memory Out-of-Bounds Vulnerability | Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. Thus the likelihood of existence of a vulnerable application is low. In particular, the X9.62 encoding is used for ECC keys in X.509 certificates, so problematic inputs cannot occur in the context of processing X.509 certificates. Any problematic use-cases would have to be using an "exotic" curve encoding. The affected APIs include: EC_GROUP_new_curve_GF2m(), EC_GROUP_new_from_params(), and various supporting BN_GF2m_*() functions. Applications working with "exotic" explicit binary (GF(2^m)) curve parameters, that make it possible to represent invalid field polynomials with a zero constant term, via the above or similar APIs, may terminate abruptly as a result of reading or writing outside of array bounds. Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. | 4.3 Medium |
| CVE-2024-13176 | OpenSSL Timing Side-Channel Vulnerability | A timing side-channel which could potentially allow recovering the private key exists in the ECDSA signature computation. Impact summary: A timing side-channel in ECDSA signature computations could allow recovering the private key by an attacker. However, measuring the timing would require either local access to the signing application or a very fast network connection with low latency. There is a timing signal of around 300 nanoseconds when the top word of the inverted ECDSA nonce value is zero. This can happen with significant probability only for some of the supported elliptic curves. In particular the NIST P-521 curve is affected. To be able to measure this leak, the attacker process must either be located in the same physical computer or must have a very fast network connection with low latency. For that reason the severity of this vulnerability is Low. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are affected by this issue. | 4.1 Medium |
Fixed customer issues
| Case number | Description | |
|---|---|---|
| 01924263 | When you add or edit a node, the Read/Write Community String box no longer appears to contain a value when it is empty. | |
| 01815719, 01941855 | Different default encryption values for different libraries no longer prevent the Certificate Management Service from connecting to the database, which caused the Configuration Wizard to fail. |
|
| 01974384 | Nodes assigned to scheduled maintenance are no longer unassigned after database maintenance. | |
| 01962660 | If you are setting up a high availability (HA) pool using BIND DNS and a DNS record already exists, an error is displayed when you click Test. However, you can now click Next and continue the operation. | |
| 01845129, 01923540, 01935611, 01938562 | When a map is loading, failure to establish a connection using the ServerSentEvents or LongPolling protocols no longer prevents the map from loading. The map is displayed; however, live updates are not available. | |
| 01920725 | When access point and client IP addresses are blank or null, polling no longer fails for Arista Wireless Manager devices. The Wireless Summary view displays the latest device information. |
|
| 01964607 | The following actions no longer trigger audit events with the message
|
|
| 01446736, 01951815 | PerfStack dashboards and node details pages no longer display a different status for the same node. This was caused by duplicate records in a status calculation table in the database. | |
| 01965968 | When a user with report management rights (but not admin rights) attempts to create a report schedule, saving the report schedule no longer fails with the following message:
|
|
| 01960323, 01962499, 01962745 | When the SolarWinds Platform database is on SQL Server 2016, upgrades from 2025.1.1 no longer fail. | |
| 01330910, 01838359, 01913218 | An issue that caused Additional Polling Engine licenses that were stacked to be incorrectly reassigned after an upgrade has been resolved. Users on a version prior to this release might encounter this issue. |
Legal notices
© 2025 SolarWinds Worldwide, LLC. All rights reserved.
This document may not be reproduced by any means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other means without the prior written consent of SolarWinds. All right, title, and interest in and to the software, services, and documentation are and shall remain the exclusive property of SolarWinds, its affiliates, and/or its respective licensors.
SOLARWINDS DISCLAIMS ALL WARRANTIES, CONDITIONS, OR OTHER TERMS, EXPRESS OR IMPLIED, STATUTORY OR OTHERWISE, ON THE DOCUMENTATION, INCLUDING WITHOUT LIMITATION NONINFRINGEMENT, ACCURACY, COMPLETENESS, OR USEFULNESS OF ANY INFORMATION CONTAINED HEREIN. IN NO EVENT SHALL SOLARWINDS, ITS SUPPLIERS, NOR ITS LICENSORS BE LIABLE FOR ANY DAMAGES, WHETHER ARISING IN TORT, CONTRACT OR ANY OTHER LEGAL THEORY, EVEN IF SOLARWINDS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other SolarWinds trademarks, service marks, and logos may be common law marks or are registered or pending registration. All other trademarks mentioned herein are used for identification purposes only and are trademarks of (and may be registered trademarks) of their respective companies.