CISA Warns of Active Exploitation in SolarWinds Help Desk Software Vulnerability
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added a critical security flaw impacting SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.
Tracked as CVE-2024-28987 (CVSS score: 9.1), the vulnerability relates to a case of hard-coded credentials that could be abused to gain unauthorized access and make modifications.
"SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data," CISA said in an advisory.
Details of the flaw were first disclosed by SolarWinds in late August 2024, with cybersecurity firm Horizon3.ai releasing additional technical specifics a month later.
The vulnerability "allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset requests and shared service account credentials," security researcher Zach Hanley said.
It's currently not clear how the shortcoming is being exploited in real-world attacks, and by whom. That said, the development comes two months after CISA added another flaw in the same software (CVE-2024-28986, CVSS score: 9.8) to the KEV catalog.
In light of active abuse, Federal Civilian Executive Branch (FCEB) agencies are required to apply the latest fixes (version 12.8.3 Hotfix 2 or later) by November 5, 2024, to secure their networks.
source: TheHackerNews
Free security scan for your website
Top News:
CWE top 25 most dangerous software weaknesses
November 21, 2024Chinese APT Gelsemium Targets Linux Systems with New WolfsBane Backdoor
November 21, 2024Windows 11 KB5046740 update released with 14 changes and fixes
November 22, 2024APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware
November 23, 2024Microsoft rolls out Recall to Windows Insiders with Copilot+ PCs
November 23, 2024Download: CIS Critical Security Controls v8.1
August 8, 2024