A critical vulnerability plaguing a SolarWinds product is being actively exploited to remotely run malicious code on flawed servers. Since the patch is available, users are advised to apply it immediately and thus secure their endpoints.
It was recently reported SolarWinds’ Web Help Desk has a Java deserialization security vulnerability, that allows threat actors to run code and commands, remotely. The vulnerability is tracked as CVE-2024-28986 and carries a severity score of 9.8 (critical).
SolarWinds’ Web Help Desk is a web-based help desk software platform designed to manage IT service requests and streamline support operations. It offers features such as ticketing management, asset management, change management, and knowledge base integration. The software allows IT teams to track and resolve issues more efficiently by automating workflows, assigning tickets, and providing self-service options for end-users.
Proof of abuse
SolarWinds pushed a patch last Wednesday, and urged its users to apply it, despite having no proof of in-the-wild exploits at the time.
“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available,” SolarWinds said.
“WHD 12.8.3 Hotfix 1 should not be applied if SAML Single Sign-On (SSO) is utilized. A new patch will be available shortly to address this problem.” Before applying the fix, users should upgrade their servers to 12.8.3.1813.
A few days following the announcement, the US Cybersecurity and Infrastructure Security Agency (CISA) added the bug to its Known Exploited Vulnerabilities (KEV) catalog, which means it has evidence of in-the-wild abuse. As a result, all federal agencies have until September 5 to patch vulnerable servers, or stop using the tool altogether.
Via BleepingComputer