CVE-2024-28988
CRITICAL EPSS 98.3%
Published Sep 1, 202510mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Published Sep 1, 2025 10mo ago
Last Modified Jun 17, 2026 1w ago
Description
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research. We recommend all Web Help Desk customers apply the patch, which is now available. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
98.3% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 1
CWE-502 Deserialization of Untrusted Data Validation
Affected Products 4
| Vendor | Product | Version | Range |
|---|---|---|---|
| solarwinds | web_help_desk | * | ≤12.8.2 |
| solarwinds | web_help_desk | 12.8.3 | any |
| solarwinds | web_help_desk | 12.8.3 | any |
| solarwinds | web_help_desk | 12.8.3 | any |
References 2
- support.solarwinds.com https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-3
- solarwinds.com https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28988
Remediation
- solarwinds.com https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28988