The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a crucial safety flaw impacting SolarWinds Internet Assist Desk (WHD) software program to its Recognized Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
Tracked as CVE-2024-28987 (CVSS rating: 9.1), the vulnerability pertains to a case of hard-coded credentials that may very well be abused to realize unauthorized entry and make modifications.
“SolarWinds Internet Assist Desk accommodates a hardcoded credential vulnerability that would permit a distant, unauthenticated consumer to entry inside performance and modify knowledge,” CISA mentioned in an advisory.
Particulars of the flaw have been first disclosed by SolarWinds in late August 2024, with cybersecurity agency Horizon3.ai releasing extra technical specifics a month later.
The vulnerability “permits unauthenticated attackers to remotely learn and modify all assist desk ticket particulars – typically containing delicate data like passwords from reset requests and shared service account credentials,” safety researcher Zach Hanley mentioned.
It is at the moment not clear how the shortcoming is being exploited in real-world assaults, and by whom. That mentioned, the event comes two months after CISA added one other flaw in the identical software program (CVE-2024-28986, CVSS rating: 9.8) to the KEV catalog.
In mild of energetic abuse, Federal Civilian Govt Department (FCEB) companies are required to use the most recent fixes (model 12.8.3 Hotfix 2 or later) by November 5, 2024, to safe their networks.
