CVE-2021-35232
published 2021-12-27CVE-2021-35232: Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host…
PriorityP180medium6.1CVSS 3.1
AVLACLPRLUINSUCHILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.30%
21.6th percentile
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | web_help_desk | >= 12.7.7 and previous versions < 12.7.7 HF 1 | 12.7.7 HF 1 |
| solarwinds | webhelpdesk | <= 12.7.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/helpdesk/assetReport
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_25;)
- →Exploit traffic is a POST request to /helpdesk/assetReport with a text/plain Content-Type body containing HQL keywords 'select' and 'password', sent to the server.
- →The attacker leverages hard-coded credentials to execute arbitrary HQL queries against the database, targeting password hashes or inserting arbitrary data.
- →Snort/Suricata SID 2034971 (ET ruleset) can be used to detect exploitation attempts at the network perimeter or internally.
- ·Exploitation requires local access to the Web Help Desk host machine to leverage the hard-coded credentials; remote-only network monitoring may not be sufficient.
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:P/I:P/A:N
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-34qh-79jp-wj3q: Hard coded credentials discovered in SolarWinds Web Help Desk product
ghsa_unreviewed·2021-12-28
CVE-2021-35232 [MEDIUM] CWE-798 GHSA-34qh-79jp-wj3q: Hard coded credentials discovered in SolarWinds Web Help Desk product
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.
VulnCheck
SolarWinds webhelpdesk Use of Hard-coded Credentials
vulncheck·2021·CVSS 6.8
CVE-2021-35232 [MEDIUM] SolarWinds webhelpdesk Use of Hard-coded Credentials
SolarWinds webhelpdesk Use of Hard-coded Credentials
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.
Affected: SolarWinds webhelpdesk
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-29&host_type=src&vulnerability=cve-2021-35232; https://dashboard.shadowserver.org/statistics/honeypot/
Suricata
ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)
suricata·2022-01-25·CVSS 6.8
CVE-2021-35232 [MEDIUM] ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)
ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)
Rule: alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Descripti
Suricata
ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)
suricata·2021-03-11·CVSS 8.1
CVE-2020-35232 [HIGH] ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)
ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)
Rule: alert udp $HOME_NET any -> any 60000: (msg:"ET EXPLOIT Possible NSDP (Netgear) Unauthenticated Buffer Overflow (CVE-2020-35232)"; dsize:>16; content:"|00 1a 00 0a|"; startswith; content:"|ff ff 00 00|"; endswith; fast_pattern; reference:url,research.nccgroup.com/2021/03/08/technical-advisory-multiple-vulnerabilities-in-netgear-prosafe-plus-jgs516pe-gs116ev2-switches/; reference:cve,2020-35232; classtype:attempted-admin; sid:2031938; rev:1; metadata:attack_target Networking_Equipment, created_at 2021_03_11, cve CVE_2020_35232, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_04_05;)
No public exploits indexed.
No writeups or analysis indexed.
https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_UShttps://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_UShttps://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232
2021-12-27
Published
Exploited in the wild