SolarWinds has released a hotfix to address a critical-severity vulnerability in Web Help Desk (WHD) that could be exploited remotely to execute arbitrary code.
Described as a Java deserialization remote code execution (RCE) issue and tracked as CVE-2024-28986 (CVSS score of 9.8), the security defect could allow attackers to run arbitrary commands on the host machine, SolarWinds notes in its advisory.
According to the enterprise software maker, although the bug is rated critical severity, its exploitation requires authentication.
“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing,” the company notes.
CVE-2024-28986 affects Web Help Desk versions 12.4 to 12.8, but the hotfix requires that Web Help Desk version 12.8.3.1813 is installed.
SolarWinds recommends that all customers upgrade to Web Help Desk 12.8.3, download the hotfix from the SolarWinds Customer Portal, and install it as soon as possible.
The hotfix, the company says, automatically adds a JAR file to a subfolder in the Web Help Desk home folder and modifies two other files, but also requires that users manually modify a file in the product’s config directory.
Detailed instructions on how to install the hotfix and which files need to be modified can be found in SolarWinds’ advisory.
“We recommend all Web Help Desk customers apply the patch, which is now available,” the company notes.
SolarWinds makes no mention of this vulnerability being exploited in the wild, but threat actors are known to have targeted vulnerabilities in SolarWinds products.
Web Help Desk is a helpdesk solution that provides customers with a ticketing system, a centralized knowledge base, the ability to manage services and assets, Active Directory integration, and more.
Related: Ivanti Patches Critical Vulnerabilities in Neurons for ITSM, Virtual Traffic Manager
Related: SolarWinds Patches High-Severity Vulnerability Reported by NATO Pentester
Related: SAP Patches Critical Vulnerabilities in BusinessObjects, Build Apps
Related: Judge Dismisses Major SEC Charges Against SolarWinds and CISO