The US cybersecurity agency CISA on Tuesday added a recent SolarWinds Web Help Desk (WHD) bug to its Known Exploited Vulnerabilities (KEV) catalog, warning of its in-the-wild exploitation.
The flaw, tracked as CVE-2024-28987 (CVSS score of 9.1), is described as a hardcoded credential issue that allows remote, unauthenticated attackers to access internal WHD functionality and modify data.
SolarWinds warned of this security defect on August 21, when it released a second hotfix addressing CVE-2024-28986, a Java deserialization vulnerability in WHD that could allow remote attackers to run commands on the host machine and execute arbitrary code.
On August 13, the company had released WHD 12.8.3 Hotfix 1 to resolve CVE-2024-28986, but removed the hotfix one week later, after discovering that it broke SAML Single Sign-On (SSO) and created several other functionality issues. CISA added CVE-2024-28986 to KEV two days later.
Roughly one month after SolarWinds pushed out WHD 12.8.3 Hotfix 2, Horizon3.ai engineer Zach Hanley published details on CVE-2024-28987, along with indicators of compromise (IoCs) and proof-of-concept (PoC) code.
The bug’s successful exploitation could allow “unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset requests and shared service account credentials,” Hanley said.
He also noted seeing roughly 830 SolarWinds WHD instances exposed to the internet, mainly in the state, local, and education (SLED) market segment.
On October 15, just as SolarWinds announced the release of WHD 12.8.3 Hotfix 3, which includes the patches from the first two hotfixes and resolves some issues created by the second one, CISA added CVE-2024-28987 to its KEV list, urging federal agencies to address it as soon as possible.
The agency also added a fresh Firefox zero-day (CVE-2024-9680) to the catalog, along with a Windows kernel bug (CVE-2024-30088) exploited by Iranian cyberspies against government entities in the Gulf region.
CISA’s warning is the first report regarding the in-the-wild exploitation of CVE-2024-28987.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until November 5 to identify in their environments any product vulnerable to one of the KEV catalog flaws and apply the available patches.
While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV catalog and prioritize the remediation of the security defects it includes.
Related: Tor Browser Update Patches Exploited Firefox Zero-Day
Related: Ivanti Warns Customers of More CSA Zero-Days Exploited in Attacks
Related: Recent Veeam Vulnerability Exploited in Ransomware Attacks
Related: Windows Event Log Vulnerabilities Could Be Exploited to Blind Security Products
