SolarWinds has provided a hotfix for a critical-severity flaw stemming from a hardcoded credential in its Web Help Desk software.
The flaw (CVE-2024-28987), which ranks 9.1 out of 10 on the CVSS scale, could allow remote, unauthenticated attackers to access internal functionality and modify data. It exists in SolarWind’s Web Help Desk, which is essentially a centralized, web-based help desk ticketing system.
SolarWinds did not give further details around the flaw, but said that Web Help Desk 12.8.3 HF1 and all previous versions are impacted, and a fixed version, 12.8.3 HF2, is available. 12.8.3 HF1 was released just last week to fix a critical Java deserialization remote code execution flaw in Web Help Desk, which if exploited could allow an attacker to run commands on the host machine (CVE-2024-28986).
“This hotfix addresses the SolarWinds Web Help Desk Broken Access Control Remote Code Execution vulnerability fixed in WHD 12.8.3 Hotfix 1, as well as fixing the SolarWinds Web Help Desk Hardcoded Credential vulnerability, and restoring the affected product functionality found in WHD 12.8.3 Hotfix 1,” according to SolarWinds’s Thursday security advisory.
The previously disclosed remote code execution bug (CVE-2024-28986) was also added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA’s) known exploited vulnerability catalog on Aug. 15, although no further details around exploitation activity for the bug have been revealed.
Zach Hanley, vulnerability researcher with Horizon3.ai, was credited with finding the hardcoded credential flaw, and on Twitter Hanley said that he reported the vulnerability to SolarWinds on Aug. 15 “after digging into the recent CISA KEV CVE-2024-28986 for WebHelpDesk,” and that more information would be released next month.
SolarWinds is urging customers to install the hotfix for this latest vulnerability, with further details for installation available on its support page. The company has reported several other vulnerabilities over the past year, including a path traversal bug in Serv-U (CVE-2024-28995) that was reportedly being exploited in the wild in June.