cbcvebase.
CVE-2021-35232
published 2021-12-27

CVE-2021-35232: Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host…

PriorityP180medium6.1CVSS 3.1
AVLACLPRLUINSUCHILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.30%
21.6th percentile
Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.

Affected

2 ranges
VendorProductVersion rangeFixed in
solarwindsweb_help_desk>= 12.7.7 and previous versions < 12.7.7 HF 112.7.7 HF 1
solarwindswebhelpdesk<= 12.7.6

Detection & IOCsextracted from sources · hover to see the quote

path/helpdesk/assetReport
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT SolarWinds Web Help Desk Hard Coded Credentials Request (CVE-2021-35232)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/helpdesk/assetReport"; nocase; startswith; fast_pattern; http.request_body; content:"select"; nocase; content:"password"; nocase; http.content_type; content:"text/plain"; reference:url,blog.assetnote.io/2022/01/23/solarwinds-webhelpdesk-hsql-eval-harcoded-creds/; reference:cve,2021-35232; classtype:attempted-admin; sid:2034971; rev:1; metadata:created_at 2022_01_25, cve CVE_2021_35232, deployment Perimeter, deployment Internal, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2022_01_25;)
  • Exploit traffic is a POST request to /helpdesk/assetReport with a text/plain Content-Type body containing HQL keywords 'select' and 'password', sent to the server.
  • The attacker leverages hard-coded credentials to execute arbitrary HQL queries against the database, targeting password hashes or inserting arbitrary data.
  • Snort/Suricata SID 2034971 (ET ruleset) can be used to detect exploitation attempts at the network perimeter or internally.
  • ·Exploitation requires local access to the Web Help Desk host machine to leverage the hard-coded credentials; remote-only network monitoring may not be sufficient.

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:P/I:P/A:N
vulncheck6.8MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.