· 2 min readsecuritysoftware

SolarWinds Finally Patches Sunburst and Supernova

SolarWinds shipped fresh patches on January 25 addressing both the Sunburst backdoor and the separate Supernova malware found in its Orion platform.

SolarWinds put out another round of patches today for its Orion platform, and this time the update covers two distinct threats: the Sunburst backdoor that kicked off this whole mess, and a separate piece of malware called Supernova that researchers found riding along in some Orion deployments. The company says a further advisory covering both will follow on January 29, so this isn’t the last word — just the next one.

It’s worth restating why this matters. Sunburst wasn’t a bug that got exploited after the fact. It was inserted directly into the build process, via a second implant called Sunspot, so that legitimate, signed Orion updates shipped with a backdoor already baked in. Customers who dutifully kept their network-monitoring software current were the ones who got owned. That’s about as bad as software supply-chain compromise gets, and it’s why the FBI, CISA, ODNI, and NSA felt the need to jointly attribute the campaign to a threat actor “likely Russian in origin” earlier this month.

Supernova is a different animal, and it’s easy to conflate the two. Where Sunburst came from tampering with SolarWinds’ own build pipeline, Supernova appears to be a separate piece of malware that exploited a vulnerability in Orion to run arbitrary code — not something baked into the trusted update itself. Bundling a fix for it into the same patch cycle as Sunburst makes sense operationally, but it’s a reminder that the SolarWinds incident isn’t one clean story with one root cause. It’s at least two.

Why the timeline still matters

We’re three weeks past the point where the federal government put a name (sort of) to who did this, and SolarWinds is still shipping incremental fixes. If you’re running Orion in your environment, the practical advice hasn’t changed since December: patch immediately, assume compromise if you were running an affected build during the exposure window, and don’t treat “we applied the patch” as equivalent to “we’ve confirmed the attacker is gone.” Researchers have already pointed out code overlaps between Sunburst and Kazuar, a backdoor tied to the Turla group, which suggests whoever built this has been refining these techniques for a while and isn’t shy about reusing tradecraft.

For everyone else — meaning most of us who don’t run Orion — the lesson is broader. This incident has become the reference case for build-pipeline integrity, and it’s already showing up in how companies think about signing, provenance, and reproducible builds. Expect vendor security questionnaires to start asking pointed questions about build-server access that they never used to ask. SolarWinds will keep patching for a while yet; the harder, slower work is everyone else deciding what changes so this doesn’t happen again.

Related posts

Latest on Daily Signal

All posts →