SolarWinds has released patches to address a new security flaw in its Web Help Desk (WHD) software that could allow remote, unauthenticated users to gain unauthorized access to sensitive instances.
“SolarWinds Web Help Desk (WHD) software is subject to a hard-encrypted credentials vulnerability that could allow (a) a remote, unauthenticated user to access internal functions and modify data,” the company said in a statement. said in a new guideline published today.
Issue tracked as CVE-2024-28987has a CVSS rating of 9.1, indicating critical severity. Horizon3.ai security researcher Zach Hanley is credited with discovering and reporting the flaw.
Users are advised to upgrade to the latest version 12.8.3 Correction 2but web support 12.8.3.1813 or 12.8.3 HF1 is required to apply the fix.
The disclosure comes a week after the SolarWinds move to decide another critical vulnerability in the same software that could be used to execute arbitrary code (CVE-2024-28986, CVSS score: 9.8).
According to the US Cybersecurity and Infrastructure Security Agency (CISA), this flaw is actively exploited in the wild, although it is still unknown how it is used in actual attacks.
More information about CVE-2024-28987 is expected to be released next month, so it is important that updates are installed in a timely manner to mitigate potential threats.
