Critical SolarWinds flaw finds exploitations in the wild despite available fixes – Source: www.csoonline.com

A security oversight by SolarWinds developers in August allowing remote access to sensitive credentials within its Web Help Desk (WHD) product has found active exploitations in the wild.

According to an update by the US Cybersecurity and Infrastructure Security Agency (CISA), the flaw tracked as CVE-2024-28987 has become one of the frequent attack vectors for malicious cyber actors and poses significant risks to the federal enterprise.

While the agency refrained from adding further technical details on the exploitation(s) observed, it has been added to its known exploited vulnerabilities (KEV) catalog.

Queries sent to SolarWinds over these exploitations were not responded to until the publishing of this article.

Vulnerability hot-fixed in August

CVE-2024-28987 is a critical security flaw affecting the SolarWinds help desk that can allow threat actors to gain remote access to victim systems. The company had released a hotfix for the bug upon discovery in August.

“The SolarWinds Web Help Desk software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data,” the software maker had said in the hotfix release notes.

Incidentally, during a critical oversight, SolarWinds developers unintentionally left some hardcoded credentials within the web help desk (WHD), opening the vulnerable instances to easy malicious access without the deployment of any backdoor.

SolarWinds’ Web Help Desk (WHD) is a web-based IT service management solution that streamlines help desk and IT support operations by offering a centralized platform for tracking and resolving service requests. Used by sectors like healthcare, government, and financial services, a vulnerability in WHD that allows remote access could compromise sensitive data in these critical industries.

Second helpdesk criticality exploited

Exploitation of CVE-2024-28987 makes this the second time a critical flaw in SolarWinds WHD was exploited in the wild. Fixed days before CVE-2024-28987, another critical WHD bug (CVE-2024-28986) with a CVSS score of 9.8 out of 10 had reportedly allowed attackers to perform remote code execution (RCE) on vulnerable instances.

SolarWinds had found the hotfix to CVE-2024-28986 not working as expected in a few instances where SAML Single Sign-On (SSO) was utilized and had added a resolution later within the hotfix targeted for the hardcoded credentials vulnerability, called WHD 12.8.3 Hotfix 2.

The US-based software giant has been having a rough few years since the infamous supply-chain attack it suffered in December 2020 owing to a faulty update that led to over 100 of its customers being hacked.

Without further details on the timing and technique of the exploitation, it is difficult to say if “hotfix-ed” instances of SolarWinds WHD are indeed safe from exploitation.