cbcvebase.
CVE-2024-28986
published 2024-08-13

CVE-2024-28986: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker…

PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-09-05
Exploited in the wild
EPSS
84.63%
99.7th percentile
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Affected

5 ranges
VendorProductVersion rangeFixed in
solarwindsweb_help_desk<= 12.8.6
solarwindsweb_help_desk<= 12.8.2
solarwindsweb_help_desk
solarwindsweb_help_desk
solarwindsweb_help_desk

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa
othershodan:http.favicon.hash:1895809524
path/helpdesk/WebObjects/Helpdesk.woa
path/bin/webapps/helpdesk/WEB-INF/lib/
  • Nuclei template fingerprints vulnerable SolarWinds WHD instances by matching specific strings in the HTTP response body of /helpdesk/WebObjects/Helpdesk.woa
  • Version can be extracted from the response body via regex matching the build token pattern (e.g. ?v=12_8_3_1813) and compared against < 12.8.3.0 to confirm vulnerability
  • Shodan query for exposed SolarWinds Web Help Desk instances using favicon hash
  • CVE-2024-28986 is a Java deserialization RCE in the AjaxProxy component; monitor for unusual deserialization-related process spawning from the WHD Java process
  • ·SolarWinds could not reproduce the vulnerability without authentication in their own testing, despite it being reported as unauthenticated; exploitation may require some form of authentication in certain configurations
  • ·WHD 12.8.3 Hotfix 1 must NOT be applied if SAML Single Sign-On (SSO) is in use; a separate patch is required for SSO environments
  • ·The hotfix requires the server to first be upgraded to Web Help Desk 12.8.3.1813 before the hotfix can be applied; applying to older versions is not supported
  • ·CVE-2024-28986 has been bypassed twice (CVE-2024-28988, then CVE-2025-26399); patching only the original hotfix is insufficient — the latest version 12.8.7 with its hotfix must be applied

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.