SolarWinds Web Help Desk vulnerability is now being actively exploited in attacks

CISA has recently added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including a critical hardcoded credentials issue in SolarWinds Web Help Desk (WHD), which was patched by the vendor in late August 2024.

SolarWinds Web Help Desk is a widely used IT support platform, serving around 300,000 customers globally, including government entities, large enterprises, and healthcare organizations.

The SolarWinds vulnerability, identified as CVE-2024-28987, stems from hardcoded credentials—a username “helpdeskIntegrationUser” and password “dev-C4F8025E7.” These credentials could allow remote, unauthenticated attackers to access WHD endpoints, potentially enabling them to retrieve or alter data without any restrictions.

After receiving a report from Horizon3.ai researcher Zach Hanley, who discovered the flaw, SolarWinds released a hotfix just four days later. They strongly advised administrators to upgrade to WHD version 12.8.3 Hotfix 2 or newer.

CISA’s inclusion of this vulnerability in its KEV list signifies that it is now being actively exploited in the wild.

The U.S. government agency did not provide many specifics regarding the malicious activity, and the status of ransomware exploitation remains unclear.

Federal agencies and U.S. government organizations are required to update to a secure version or cease using the software by November 5, 2024.

Due to the ongoing exploitation of CVE-2024-28987, it is highly recommended that system administrators secure WHD endpoints well before the deadline.

The other two vulnerabilities included in CISA’s KEV list affect Windows and Mozilla Firefox, both of which have already been seen exploited in attacks. CISA has mandated that federal agencies patch these flaws by November 5 as well.

The Windows vulnerability, CVE-2024-30088, is a Kernel TOCTOU race condition, actively exploited by the OilRig (APT34) group, as reported by Trend Micro. The group used this flaw to escalate privileges to SYSTEM level on compromised devices. Microsoft addressed this issue in its June 2024 Patch Tuesday update, but the exact timing of its exploitation remains unclear.

The Mozilla Firefox vulnerability, CVE-2024-9680, was discovered by ESET researcher Damien Schaeffer on October 8, 2024, and patched by Mozilla within 25 hours.

According to Mozilla, ESET provided an attack chain involving remote code execution through CSS animation timelines in Firefox. Although ESET is still investigating the observed attack, a spokesperson indicated that the malicious activity appears to originate from Russia and is likely linked to espionage efforts.