The US cybersecurity agency CISA on Thursday warned that a fresh critical-severity vulnerability in SolarWinds Web Help Desk has been exploited in attacks.
The bug, tracked as CVE-2024-28986 (CVSS score of 9.8), is described as a Java deserialization remote code execution (RCE) issue that could allow attackers to run commands on the host machine.
This week, SolarWinds announced a hotfix that addresses the vulnerability, noting that authentication is required for successful exploitation, but without mentioning its in-the-wild exploitation.
“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing,” the company said in its advisory.
However, SolarWinds did recommend that all customers apply the available patch, which is compatible with Web Help Desk version 12.8.3.1813 only, urging users of previous iterations to upgrade as soon as possible. The flaw impacts versions 12.4 to 12.8 of the helpdesk solution.
The company has since updated its advisory to warn that the hotfix should not be applied to Web Help Desk installations if SAML Single Sign-On (SSO) is utilized.
On Thursday, roughly two days after SolarWinds announced the hotfix, CISA added CVE-2024-28986 to its Known Exploited Vulnerabilities (KEV) catalog, “based on evidence of active exploitation”.
While the agency did not provide details on the observed exploitation, the short window between public disclosure and the addition to KEV suggests that the vulnerability might have been exploited as a zero-day, security researchers speculate.
Furthermore, they suggest that satellite communications companies Inmarsat and Viasat (which are mentioned in SolarWinds’ advisory) or one of their customers, might have been compromised through this bug.
As the Binding Operational Directive (BOD) 22-01 mandates, with CVE-2024-28986 added to KEV, federal agencies have until September 5 to identify and patch vulnerable SolarWinds Web Help Desk instances in their environments.
While BOD 22-01 only applies to federal agencies, all organizations are advised to review SolarWinds’ advisory and apply the necessary mitigations as soon as possible.
Related: SolarWinds Issues Hotfix for Critical Web Help Desk Vulnerability
Related: Google Patches Android Zero-Day Exploited in Targeted Attacks
Related: Threat Actors Exploit Fresh ServiceNow Vulnerabilities in Attacks
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products
