The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vital safety flaw impacting SolarWinds Internet Assist Desk (WHD) software program to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
Tracked as CVE-2024-28987 (CVSS rating: 9.1), the vulnerability pertains to a case of hard-coded credentials that could possibly be abused to achieve unauthorized entry and make modifications.
“SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data,” CISA mentioned in an advisory.
Particulars of the flaw have been first disclosed by SolarWinds in late August 2024, with cybersecurity agency Horizon3.ai releasing extra technical specifics a month later.
The vulnerability “allows unauthenticated attackers to remotely read and modify all help desk ticket details – often containing sensitive information like passwords from reset requests and shared service account credentials,” safety researcher Zach Hanley mentioned.
It is presently not clear how the shortcoming is being exploited in real-world assaults, and by whom. That mentioned, the event comes two months after CISA added one other flaw in the identical software program (CVE-2024-28986, CVSS rating: 9.8) to the KEV catalog.
In mild of energetic abuse, Federal Civilian Govt Department (FCEB) businesses are required to use the newest fixes (model 12.8.3 Hotfix 2 or later) by November 5, 2024, to safe their networks.
