The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned of active exploitation of a critical security flaw in SolarWinds Web Help Desk (WHD) software. The vulnerability, tracked as CVE-2024-28987 with a CVSS score of 9.1, involves hard-coded credentials that can be abused to gain unauthorized access and make modifications. CISA stated in an advisory, “SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data.”
SolarWinds first disclosed details of the flaw in late August 2024, and cybersecurity firm Horizon3.ai released additional technical specifics a month later.
According to security researcher Zach Hanley, the vulnerability allows unauthenticated attackers to remotely read and modify all help desk ticket details, which often contain sensitive information like passwords from reset requests and shared service account credentials. The development comes two months after CISA added another flaw in the same software to the Known Exploited Vulnerabilities (KEV) catalog, with a CVSS score of 9.8.
In response to the active exploitation, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes, version 12.8.3 Hotfix 2 or later, by November 5, 2024, to secure their networks. It is currently unclear how the vulnerability is being exploited in real-world attacks.
CISA alerts on WHD flaw
CISA has not provided additional information regarding the exploitation process beyond what’s available in the KEV catalog. The security oversight, tracked as CVE-2024-28986, affects Web Help Desk versions before 12.8.3 HF2.
The patch for this flaw needs to be manually installed. A SolarWinds spokesperson stated, “We have seen no threat activity against patched instances and encourage all customers to update SolarWinds Web Help Desk (WHD) 12.8.3 HF1 and all previous versions to 12.8.3 HF2.”
As of late September, about 827 instances of SolarWinds Web Help Desk remained publicly exposed to the internet, according to Zach Hanley, a vulnerability researcher at Horizon3.ai who discovered the flaw. Hanley noted, “When assessing the exposure of our own clients, we found that organizations typically revealed sensitive process information for IT procedures such as user onboarding, password resets, and accessing shared resources.”
Although this vulnerability does not completely compromise the WHD server itself, the risk of lateral movement via credentials was deemed high.
WHD is widely used by state and local governments, as well as the education sector. For further details, users are urged to visit SolarWinds’ official channels for security updates and follow CISA’s guidance for mitigating this vulnerability.
