Vulnerability Discovered in SolarWinds Web Help Desk Due to Hardcoded Credentials
SolarWinds has released patches to fix a recent security vulnerability in its Web Help Desk (WHD) software which may permit unauthorized access to vulnerable instances by remote unauthenticated users.
In a new advisory issued today, the company stated that “The SolarWinds Web Help Desk (WHD) software is impacted by a hardcoded credential vulnerability, allowing an unauthorized remote user to gain access to internal functionalities and alter data.”
The vulnerability, identified as CVE-2024-28987, has been rated 9.1 on the CVSS scoring system, marking it as critically severe. The discovery and reporting of the flaw have been credited to security researcher Zach Hanley from Horizon3.ai.
It is advised that users upgrade to version 12.8.3 Hotfix 2, with the fix necessitating Web Help Desk 12.8.3.1813 or 12.8.3 HF1.
This revelation follows SolarWinds recent efforts to address another critical vulnerability in the same software that allowed the execution of arbitrary code (CVE-2024-28986, CVSS score: 9.8).
Although the flaw has been actively exploited in the wild, the methods employed in real-world attacks remain undisclosed as confirmed by the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
Further details regarding CVE-2024-28987 are anticipated to be disclosed in the upcoming month, emphasizing the importance of timely implementation of updates to mitigate potential risks.
About Author
