Details about and proof-of-concept (PoC) exploit code for CVE-2024-28987, a recently patched SolarWinds Web Help Desk (WHD) vulnerability that could be exploited by unauthenticated attackers to remotely read and modify all help desk ticket details, are now public.
“When assessing the exposure of our own clients, we found that organizations typically revealed sensitive process information for IT procedures such as user onboarding, password resets, and accessing shared resources. While this vulnerability does not lead to fully compromising the WHD server itself, we found the risk of lateral movement via credentials was high,” notes Horizon3.ai’s Zach Henley, who discovered and reported the flaw to SolarWinds.
Risk of CVE-2024-28987 exploitation
CVE-2024-28987 stems from hardcoded developer login credentials, which can be leveraged to perform create, read, update and delete operations on specific WHD endpoints.
The PoC, developed to dump recent ticket details on vulnerable server, is now available on GitHub.
A hotfix for CVE-2024-28987 has been released a month ago.
Henley says that they’ve spotted approximately 827 instances of SolarWinds Web Help Desk reachable on the internet. While some may have been updated and are no longer vulnerable to attack via this flaw, there are sure to be some that can still be successfully targeted.
“The WHD application is seemingly popular with State, Local, and Education (SLED) market segment according to a brief examination of those that expose it to the internet and our own client base,” he noted.
This may be the last call for admins to update their installations before attackers jump to action and start rummaging through their help desk tickets – especially because CVE-2024-28986, another recently patched SolarWinds WHD flaw, is being actively exploited by attackers.