Introduction
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert concerning a severe vulnerability in SolarWinds Web Help Desk (WHD) software [4], identified as CVE-2024-28987 [1] [2] [3] [4] [7] [10]. This vulnerability poses significant risks due to its potential for unauthorized access and privilege escalation, necessitating immediate attention and remediation from affected organizations.
Description
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding the active exploitation of a severe vulnerability in SolarWinds Web Help Desk (WHD) software [4], tracked as CVE-2024-28987 [1] [2] [3] [4] [7] [10]. This vulnerability, which has a high-risk CVSS score of 9.1 [2] [4], arises from hard-coded admin credentials [10], allowing remote [1] [2] [4] [5], unauthenticated attackers to gain unauthorized access to sensitive internal functions and modify help desk tickets [4]. This unauthorized access can expose sensitive information, including password reset requests and shared service account credentials [4] [6], potentially enabling attackers to escalate their privileges within affected systems [4].
CISA added CVE-2024-28987 to its Known Exploited Vulnerabilities (KEV) catalog on October 15, 2024 [2], due to evidence of active exploitation [2]. Although specific details about the exploitation methods or the identity of the threat actors remain undisclosed [3], it is clear that organizations using SolarWinds WHD for IT service management are at significant risk. SolarWinds first acknowledged this vulnerability in August 2023, shortly after releasing a patch for another critical vulnerability, CVE-2024-28986 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10], which could enable arbitrary code execution [3].
In response to the active exploitation of CVE-2024-28987 [4], CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies remediate this issue by November 5, 2024 [6]. This can be achieved by applying the latest security patch—version 12.8.3 Hotfix 2 or later—or by discontinuing the use of the software to safeguard their networks. While this directive specifically targets FCEB agencies [8], CISA strongly encourages all organizations to prioritize the timely remediation of known vulnerabilities to mitigate exposure to cyberattacks [8].
The presence of hard-coded credentials in SolarWinds WHD highlights significant security risks [2], as unauthorized access to help desk tickets could lead to further network infiltration and potential full control of affected systems [2]. This situation underscores the necessity for organizations to promptly identify and remediate vulnerabilities to reduce their attack surface and maintain cybersecurity hygiene [3]. SolarWinds Web Help Desk is widely utilized by large enterprises and government organizations for help desk ticketing and asset management [5]. Field Effect advises impacted users to install the patch immediately [3], following SolarWinds’ original advisory [3], as cyberattacks on service desk software continue to increase in frequency and sophistication [4]. Organizations are urged to remain vigilant [4], monitor security advisories [4], and maintain strong defense mechanisms to safeguard their critical infrastructure [4].
Conclusion
The exploitation of CVE-2024-28987 in SolarWinds WHD software underscores the critical need for organizations to address vulnerabilities promptly. The potential for unauthorized access and privilege escalation poses significant threats to cybersecurity. Immediate application of security patches and adherence to CISA’s directives are essential to mitigate these risks. As cyber threats continue to evolve, maintaining robust cybersecurity practices and staying informed about emerging vulnerabilities are imperative for safeguarding critical infrastructure.
References
[1] https://www.cybersecuritydive.com/news/cisa-flaw-solarwinds-web-help-desk/730003/
[2] https://vulert.com/blog/solarwinds-help-desk-vulnerability/
[3] https://fieldeffect.com/blog/critical-solarwinds-vulnerability-actively-exploited
[4] https://cybermaterial.com/cisa-warns-of-critical-solarwinds-flaw/
[5] https://securityaffairs.com/169882/hacking/u-s-cisa-microsoft-windows-kernel-mozilla-firefox-solarwinds-web-help-desk-bugs-known-exploited-vulnerabilities-catalog.html
[6] https://securityonline.info/cisa-warns-actively-exploited-vulnerabilities-including-windows-kernel-flaw-and-firefox-zero-day/
[7] https://thehackernews.com/2024/10/cisa-warns-of-active-exploitation-in.html
[8] https://www.cisa.gov/news-events/alerts/2024/10/15/cisa-adds-three-known-exploited-vulnerabilities-catalog
[9] https://www.heise.de/en/news/Patch-now-Attackers-attack-Solarwind-s-Web-Help-Desk-9983423.html
[10] https://www.techradar.com/pro/security/critical-severity-flaw-warning-issued-by-cisa-for-solarwinds-web-help-desk
