A critical vulnerability in SolarWinds Web Help Desk (WHD) software, originally discovered in August, is confirmed to being under active exploitation.
Tracked as CVE-2024-28987, this vulnerability is caused by hard-coded credentials, allowing unauthenticated attackers to remotely access and modify help desk data, which often includes sensitive information such as user credentials and service account details.
Vulnerability Details:
- Vulnerability ID: CVE-2024-28987
- CVSS Score: 9.1 (Critical)
- Description: This flaw allows a remote, unauthenticated attacker to gain full access to help desk ticket data, enabling them to read and modify sensitive information such as password reset requests and shared service credentials.
- Affected Versions: SolarWinds Web Help Desk prior to version 12.8.3 Hotfix 2.
- Discovery Date: August 2024
- Public Disclosure: September 2024
Exploitation Evidence:
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming that it is actively being exploited. While specifics about the attackers or their methods are still unclear, the threat is real: Organizations running unpatched versions of SolarWinds Web Help Desk are at an elevated risk and should act immediately to secure their systems.
Mitigation & Recommendations:
- Apply Patches Immediately: SolarWinds has released a patch in version 12.8.3 Hotfix 2, which addresses this vulnerability. All Web Help Desk users must update to this version or a later release to mitigate the risk of exploitation.
- Audit Access Permissions: Review the roles and permissions of all users interacting with Web Help Desk to ensure unauthorized access is minimized. Ensure that credentials and permissions are rotated and secured, especially for shared service accounts.
- Monitor Network Logs: Continuously monitor for unusual access patterns or any attempts to exploit Web Help Desk, particularly any unauthorized attempts to access or modify help desk tickets.
- Consider Alternatives: If patching cannot be immediately applied, consider temporarily disabling Web Help Desk or limiting access to trusted internal networks until the vulnerability is addressed.
Key Risk Areas:
This vulnerability has a broad impact, particularly in organizations where Web Help Desk plays a central role in handling sensitive requests such as:
- Password reset requests
- Shared service account credentials
- Internal IT procedures and configurations
The exploitation of this vulnerability can lead to:
- Data breaches and exposure of sensitive internal IT operations and information, including credentials
- With this level of access, malicious actors could alter help desk ticket data or modify internal system configurations, leading to disruption of services or further security risks
- The exposure of credentials could allow attackers to move laterally across the network, potentially compromising additional systems and applications
Risk Landscape:
SolarWinds Web Help Desk is widely used across State, Local, and Education (SLED) markets, making this vulnerability particularly concerning for institutions handling sensitive user data. Public exposure of Web Help Desk instances on the internet significantly increases the likelihood of targeted attacks, especially with active exploitation already reported.
