CVE-2024-28987
📋 TL;DR
CVE-2024-28987 is a hardcoded credential vulnerability in SolarWinds Web Help Desk that allows remote unauthenticated attackers to access internal functionality and modify data. This affects all organizations running vulnerable versions of SolarWinds WHD software. The vulnerability stems from embedded credentials that cannot be changed by administrators.
💻 Affected Systems
- SolarWinds Web Help Desk
📦 What is this software?
Web Help Desk by Solarwinds
Web Help Desk by Solarwinds
Web Help Desk by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Web Help Desk system allowing data theft, service disruption, and potential lateral movement to connected systems.
Likely Case
Unauthorized access to sensitive help desk data, ticket manipulation, privilege escalation, and configuration changes.
If Mitigated
Limited impact if system is isolated behind strong network controls and access restrictions.
🎯 Exploit Status
The vulnerability requires minimal technical skill to exploit once the hardcoded credentials are known. CISA has added this to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 12.8.3 Hotfix 2
Vendor Advisory: https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
Restart Required: Yes
Instructions:
1. Download SolarWinds Web Help Desk 12.8.3 Hotfix 2 from the SolarWinds customer portal. 2. Backup your current installation and database. 3. Run the installer and follow the upgrade wizard. 4. Restart the Web Help Desk service after installation completes.
🔧 Temporary Workarounds
Network Isolation
allRestrict network access to Web Help Desk to only trusted IP addresses
Web Application Firewall Rules
allImplement WAF rules to block requests using the hardcoded credentials
🧯 If You Can't Patch
- Immediately isolate the Web Help Desk server from internet access and restrict internal network access
- Implement additional authentication layers such as VPN or reverse proxy with authentication
🔍 How to Verify
Check if Vulnerable:
Check if Web Help Desk version is earlier than 12.8.3 Hotfix 2. Attempt to authenticate with known hardcoded credentials (specific credentials not disclosed here for security).Check Version:
Check the version in the Web Help Desk admin interface under Help > About, or examine the installation directory for version files.Verify Fix Applied:
Verify installation of version 12.8.3 Hotfix 2 and confirm that hardcoded credential authentication no longer works.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful logins from unexpected sources
- Configuration changes from unauthenticated or unexpected users
- Unusual API calls or administrative actions
Network Indicators:
- Unusual traffic patterns to Web Help Desk administrative endpoints
- Authentication requests using hardcoded credentials (monitor for specific patterns)
SIEM Query:
source="web_help_desk" AND (event_type="authentication" AND result="success" AND user="[hardcoded_user]") OR (event_type="configuration_change" AND user="[hardcoded_user]")🔗 References
- https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
- https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987
- https://www.theregister.com/2024/08/22/hardcoded_credentials_bug_solarwinds_whd/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28987
