Skip to the content.

DIVD-2024-00042 - Multiple critical vulnerabilities in Solarwinds Web Help Desk

Our reference DIVD-2024-00042
Case lead Alwin Warringa
Researcher(s)
CVE(s)
Products
  • Solarwinds Web Help Desk
Versions
  • Solarwinds Web Help Desk 12.8.3 HF1 and all previous versions
Recommendation Update to version 12.8.3 HF3
Patch status Patch available
Workaround none
Status Open
Last modified 30 Oct 2024 13:36 CET

Summary

Solarwinds Web Help Desk, has disclosed two critical security vulnerabilities affecting versions released prior to 12.8.3 HF2. The vulnerability, identified as CVE-2024-28987, involves a hardcoded credential vulnerability allowing remote unauthenticated user to access internal functionality and modify data. The other vulnerabilities, identified as CVE-2024-28987 and CVE-2024-28988, susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.

Recommendations

To remediate CVE-2024-28986, CVE-2024-28987 and CVE-2024-28988, update to version 12.8.3 HF3. You can find a link to the Solarwinds Web Helpdesk bulletin at the bottom of this post. Please note that applying the hotfix requires some manual steps which are explained in the security bulletin.

What we are doing

DIVD is currently working to identify parties that are running a vulnerable version of Solarwinds Web Helpdesk and to notify these parties.

Timeline

Date Description
24 Sep 2024 DIVD starts researching the vulnerability.
18 Oct 2024 DIVD finds fingerprint, preparing to scan.
18 Oct 2024 Case opened and starting first scan.
30 Oct 2024 Starting second scan.
30 Oct 2024 Mails sent out.
gantt title DIVD-2024-00042 - Multiple critical vulnerabilities in Solarwinds Web Help Desk dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00042 - Multiple critical vulnerabilities in Solarwinds Web Help Desk (still open) :2024-09-24, 2024-11-19 section Events DIVD starts researching the vulnerability. : milestone, 2024-09-24, 0d DIVD finds fingerprint, preparing to scan. : milestone, 2024-10-18, 0d Case opened and starting first scan. : milestone, 2024-10-18, 0d Starting second scan. : milestone, 2024-10-30, 0d Mails sent out. : milestone, 2024-10-30, 0d

More information