The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added critical security flaw affecting SolarWinds Web Help Desk (WHD) software for its known vulnerabilities (KEV) catalog with reference to evidence of active operation.
Tracked as CVE-2024-28987 (CVSS Score: 9.1), the vulnerability involves hard-coded credentials that can be abused to gain unauthorized access and make changes.
“SolarWinds Web Help contains a hard-coded credentials vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data,” the CISA advisory said.
Details were lacking disclosed for the first time SolarWinds in late August 2024, and cybersecurity company Horizon3.ai published additional specifications a month later.
The vulnerability “allows an unauthenticated attacker to remotely read and modify all details of support tickets, which often contain sensitive information such as passwords from reset requests and shared service account credentials,” said security researcher Zach Hanley.
It is currently unclear how this flaw is used in actual attacks and by whom. However, the development comes two months after CISA added another flaw to the same software (CVE-2024-28986CVSS score: 9.8) to the KEV catalog.
In light of active abuse, Federal Civil Enforcement Agency (FCEB) agencies are required to apply the latest patches (version 12.8.3 Hotfix 2 or later) by November 5, 2024 to protect their networks.
