Unpacking the SolarWinds Web Help Desk Zero-Day Vulnerability

 

Critical SolarWinds Vulnerability Actively Exploited: Urgent Action Required

On Thursday, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an urgent warning about a newly discovered critical vulnerability in SolarWinds Web Help Desk. Designated CVE-2024-28986 and rated with a severe CVSS score of 9.8, this flaw involves a Java deserialization remote code execution (RCE) issue. Attackers exploiting this vulnerability could potentially execute commands on the affected host systems, posing a significant risk to organizations using this software.

In response, SolarWinds released a hotfix aimed at addressing the issue. The company noted that while the vulnerability was initially thought to be unauthenticated, their testing revealed that successful exploitation does, in fact, require authentication. Despite this, SolarWinds strongly advises all users to apply the patch, which is specifically compatible with Web Help Desk version 12.8.3.1813. Organizations using earlier versions, from 12.4 to 12.8, should upgrade promptly.

The advisory also highlights a crucial detail: the hotfix should not be applied to Web Help Desk installations using SAML Single Sign-On (SSO). This specific caveat reflects the complexity of the patch application and the need for precise implementation.

CISA's rapid inclusion of CVE-2024-28986 in its Known Exploited Vulnerabilities (KEV) catalog—just two days after the public disclosure—suggests that the vulnerability may have been exploited as a zero-day. While details about the exploitation remain undisclosed, security experts speculate that entities such as satellite communications companies Inmarsat and Viasat, mentioned in SolarWinds' advisory, could be among those targeted.

According to the Binding Operational Directive (BOD) 22-01, federal agencies must identify and remediate affected SolarWinds Web Help Desk installations by September 5. Though this directive applies specifically to federal entities, all organizations are strongly advised to review SolarWinds’ advisory and apply the necessary patches as soon as possible.

Given the severity of CVE-2024-28986 and the evidence of active exploitation, it is critical for organizations to act swiftly to protect their systems and data from potential breaches.