SolarWinds on Wednesday announced a second hotfix for an exploited Web Help Desk vulnerability, which also removes hardcoded credentials disclosed during the deployment of the first hotfix.
The enterprise software maker warns that the hardcoded credential blunder, which was assigned CVE-2024-28987, with a CVSS score of 9.1, could allow a “remote unauthenticated user to access internal functionality and modify data”.
Released for Web Help Desk 12.8.3.1813 or 12.8.3 HF1, the new hotfix not only removes the inadvertently leaked secrets, but also adds more patterns to fix an SSO issue, and resolves the critical-severity remote code execution (RCE) bug that the initial hotfix was meant to address.
“This hotfix addresses the SolarWinds Web Help Desk broken access control remote code execution vulnerability fixed in WHD 12.8.3 Hotfix 1, as well as fixing the SolarWinds Web Help Desk hardcoded credential vulnerability, and restoring the affected product functionality found in WHD 12.8.3 Hotfix 1,” the company notes in its advisory.
The initial flaw, tracked as CVE-2024-28986 (CVSS score of 9.8), is described as a Java deserialization RCE issue that could allow remote attackers to execute commands on the host machine.
The vulnerability is supposedly exploitable without authentication, but SolarWinds claims that it was not able to reproduce it without authentication “after thorough testing”.
Less than two days after SolarWinds announced the hotfix for CVE-2024-28986, the US cybersecurity agency CISA added the bug to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of malicious exploitation.
While no further details were provided, CISA’s quick action suggests that the security defect might have been exploited in the wild before patches were released, as a zero-day. Satellite communications companies Inmarsat and Viasat or one of their customers might have been targeted.
Organizations are advised to apply the Web Help Desk 12.8.3 Hotfix 2 as soon as possible. SolarWinds’ advisory contains detailed instructions about the process.
*Updated title, excerpt, and first paragraph after SolarWinds pointed out that the hardcoded credentials were responsibly disclosed during the deployment of the first hotfix and not introduced by it.
Related: SolarWinds Patches Critical Vulnerabilities in Access Rights Manager
Related: CISA Warns of Exploited Vulnerabilities Impacting Dahua Products
Related: Microsoft Copilot Studio Vulnerability Led to Information Disclosure
Related: BillQuick Billing Software Exploited to Hack U.S. Engineering Company
