CVE-2024-28987

CRITICAL CISA KEV EPSS 99.8%
Published Aug 21, 20241y ago · Modified Jun 17, 20261w ago
9.1 CVSS 3.1
Critical
Find Similar
Published Aug 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago
KEV Listed Oct 15, 2024 1y ago
KEV Due Nov 5, 2024 602d overdue

Description

The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.

CVSS Details

Base Score
9.1
Exploitability
3.9
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

CISA Known Exploited Overdue 602d
Added
Oct 15, 2024
Due
Nov 5, 2024

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

EPSS Exploit Probability
99.8% percentile
Exploit & Patch Status
Actively Exploited (KEV)
No Patch Available

Weaknesses 1

CWE-798 Use of Hard-coded Credentials Authentication

Affected Products 3

VendorProductVersionRange
solarwindsweb_help_desk* <12.8.3
solarwindsweb_help_desk12.8.3any
solarwindsweb_help_desk12.8.3any

References 4

  • support.solarwinds.com https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2
    Release Notes
  • cisa.gov https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28987
    US Government Resource
  • solarwinds.com https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987
    Vendor Advisory
  • theregister.com https://www.theregister.com/2024/08/22/hardcoded_credentials_bug_solarwinds_whd/
    Press/Media CoverageThird Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.