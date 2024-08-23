Patch Now: Second SolarWinds Critical Bug in Web Help Desk

The disclosure of CVE-2024-28987 means that, in two weeks, there have been two critical bugs and corresponding patches for SolarWinds' less-often-discussed IT help desk software.

Nate Nelson, Contributing Writer

August 23, 2024

2 Min Read
SolarWinds logo on a mobile phone
Source: SOPA Images Limited

For the second week in a row, SolarWinds has released a patch for a critical vulnerability in its IT help and ticketing software, Web Help Desk (WHD).

According to its latest hotfix notice, the issue — tracked as CVE-2024-28987 — concerns hardcoded credentials that could allow a remote, unauthenticated attacker to break into WHD and modify data.

"Security is hard and a continuous process," says Horizon3.ai vulnerability researcher Zach Hanley, who first discovered and reported the bug. "This application had just received a security look from being exploited in the wild, and a few years [before] had a different hardcoded credential vulnerability. Regular security reviews on the same application can still be valuable for companies."

Two Critical Bugs & Two Urgent Fixes

On Aug. 13, SolarWinds released a hotfix for CVE-2024-28986, a Java deserialization issue that could have allowed an attacker to run commands on a targeted machine. It was given a "critical" 9.8 out of 10 score on the CVSS scale.

Following what the company described as "thorough testing," it was unable to prove that the issue could be exploited by an unauthenticated attacker. But just two days after news of it broke, CISA added CVE-2024-28986 to its catalog of known exploited vulnerabilities, indicating that active exploitation by threat actors was already underway.

This week, the company followed up this initial bad news with more of the same, this time concerning a second vulnerability in the same program. In this case, there was no ambiguity that an unauthenticated attacker could leverage hardcoded credentials in WHD to access internal functionalities and data, which goes some way to justifying its "critical" 9.1 CVSS score.

Contrary to other reporting, CVE-2024-28987 was not first introduced in the patch for CVE-2024-28986. "This issue has existed for some time in the product, likely for several years," Hanley reports. SolarWinds declined to provide Dark Reading with further comment.

SolarWinds' newest patch incorporates fixes for both issues. Customers are advised to update immediately.

To hammer the point home, Hanley says, "Imagine if an attacker had access to all the details in help desk tickets — what sensitive information may they be able to extract? Credentials, business operations details, etc."

About the Author

Nate Nelson, Contributing Writer

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

See more from Nate Nelson, Contributing Writer
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Subscribe

You May Also Like

More Insights
Webinars
More Webinars
Events
More Events

Editor's Choice

Icon with shield and keyhole, over a digital background
Application Security
Unfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid IDsUnfixed Microsoft Entra ID Authentication Bypass Threatens Hybrid IDs
byJai Vijayan, Contributing Writer
Aug 15, 2024
4 Min Read
SolarWinds logo on a phone held up horizontally; background is blurred out
Vulnerabilities & Threats
SolarWinds: Critical RCE Bug Requires Urgent PatchSolarWinds: Critical RCE Bug Requires Urgent Patch
byDark Reading Staff
Aug 15, 2024
1 Min Read
AI code with 0s and 1s
Application Security
DARPA Aims to Ditch C Code, Move to RustDARPA Aims to Ditch C Code, Move to Rust
byRobert Lemos, Contributing Writer
Aug 13, 2024
5 Min Read
Reports
More Reports
White Papers
More Whitepapers
Events
More Events