SolarWinds has released a hotfix update to address a Critical-rated Hardcoded Credential vulnerability in its Web Help Desk (WHD) software, known as CVE-2024-28987 [3].

Description

This vulnerability, associated with CWE-798: Use of Hard-coded Credentials [5], allows remote unauthenticated users to access internal functionality and modify data [1] [5] [6] [7]. Rated 9.1 on the CVSS scoring system [3], it has been added to the US Cybersecurity and Infrastructure Security Agency (CISA) list of Known Exploited Vulnerabilities (KEV) [4]. The fix for this issue was introduced in version 12.8.3 Hotfix 2 [2], with credit to Zach Hanley for its discovery [2]. The CVSS V3.1 score for this vulnerability is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N [5]. Users are advised to update promptly to mitigate the risk of exploitation. Details on how the CVE-2024-28987 vulnerability is being exploited are currently undisclosed, but users are urged to install the updates before additional information is released in September. This update follows the recent resolution of another critical vulnerability (CVE-2024-28986) in the same software.

Conclusion

Users should update promptly to mitigate the risk of exploitation. The impact of this vulnerability can be severe, as it allows unauthorized access and data modification [2]. Future implications may include further exploitation if updates are not installed. It is crucial to stay informed and take necessary precautions to protect systems and data.

References

[1] https://secalerts.co/vulnerability/CVE-2024-28987
[2] https://cybersecuritynews.com/solarwinds-web-help-desk-rce-vulnerability/
[3] https://thehackernews.com/2024/08/hardcoded-credential-vulnerability.html
[4] https://fieldeffect.com/blog/solarwinds-patches-exploited-hardcoded-credentials-vulnerability
[5] https://cvefeed.io/vuln/detail/CVE-2024-28987
[6] https://www.thehackerwire.com/solarwinds-web-help-desk-two-critical-security-vulnerabilities-resolved/
[7] https://duo.com/decipher/solarwinds-fixes-hardcoded-credential-bug-in-web-help-desk