CISA warns of active exploitation of critical vulnerability in SolarWinds Help Desk software

Details of the bug were first disclosed in August

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding a critical security vulnerability in SolarWinds Web Help Desk (WHD) software that is being actively exploited by malicious actors.

On Tuesday, CISA added the flaw – tracked as CVE-2024-28987 – to its Known Exploited Vulnerabilities (KEV) Catalog.

The agency also added two other vulnerabilities to KEV Catalog, based on evidence of active exploitation.

SolarWinds first disclosed the details of CVE-2024-28987 in late August 2024.

This vulnerability is described as a "hardcoded credential issue," which allows remote, unauthenticated attackers to gain access to internal WHD functions and potentially modify sensitive data within help desk tickets. This data could include passwords from reset requests and shared service account credentials, posing a significant security risk.

The bug was discovered by security researcher Zach Hanley of Horizon3.ai, who has since revealed technical details of CVE-2024-28987, including indicators of compromise (IoCs) and proof-of-concept (PoC) code.

Hanley said they identified around 830 SolarWinds WHD instances exposed to the internet, primarily within the state, local, and education (SLED) sector.

The CISA advises that Federal Civilian Executive Branch (FCEB) agencies must implement the latest fixes released by SolarWinds by 5th November 2024 to mitigate the risk of exploitation.

CVE-2024-28987 is the second critical vulnerability discovered in SolarWinds WHD in recent months.

Back in August, CISA added another flaw (CVE-2024-28986) to the KEV catalog, which could allow attackers to execute code on vulnerable systems.

The initial hotfix (WHD 12.8.3 Hotfix 1) for CVE-2024-28986 introduced new problems, forcing SolarWinds to remove it. The second hotfix (WHD 12.8.3 Hotfix 2) addressed the original vulnerability but caused other issues.

Finally, SolarWinds released WHD 12.8.3 Hotfix 3 which combines the fixes from the previous two hotfixes while resolving some of the functionality issues.

In July, SolarWinds addressed eight critical vulnerabilities in its Access Rights Manager (ARM) software. The flaws, rated 9.6 out of 10 on the Common Vulnerability Scoring System (CVSS), could allow attackers to not only steal sensitive information but also potentially take complete control of affected systems by executing malicious code.

Two critical vulnerabilities added to KEV catalog

On Tuesday, CISA also warned of two critical vulnerabilities that are actively exploited by malicious actors. These vulnerabilities, identified as CVE-2024-30088 and CVE-2024-9680, pose significant threats to both federal and private sector entities and have now been added to KEV Catolog.

CVE-2024-30088 is a race condition vulnerability in the Microsoft Windows kernel that could enable attackers to gain SYSTEM privileges. This high-severity flaw affects multiple Windows products, such as Windows Server 2016, Windows 10, and Windows 11.

CVE-2024-9680 is a use-after-free vulnerability found in both Mozilla Firefox and Thunderbird. It could allow attackers to execute arbitrary code, posing a significant risk to users of these applications. Its CVSS score of 9.8 highlights the severity of the threat.

Mozilla has confirmed reports of active exploitation of CVE-2024-9680, highlighting the need for immediate action.