CVE-2024-28986
published 2024-08-13CVE-2024-28986: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker…
PriorityP198critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2024-09-05
Exploited in the wild
EPSS
84.63%
99.7th percentile
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.
While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.
However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | web_help_desk | <= 12.8.6 | — |
| solarwinds | web_help_desk | <= 12.8.2 | — |
| solarwinds | web_help_desk | — | — |
| solarwinds | web_help_desk | — | — |
| solarwinds | web_help_desk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url{{BaseURL}}/helpdesk/WebObjects/Helpdesk.woa
othershodan:http.favicon.hash:1895809524
path/helpdesk/WebObjects/Helpdesk.woa
- →Nuclei template fingerprints vulnerable SolarWinds WHD instances by matching specific strings in the HTTP response body of /helpdesk/WebObjects/Helpdesk.woa
- →Version can be extracted from the response body via regex matching the build token pattern (e.g. ?v=12_8_3_1813) and compared against < 12.8.3.0 to confirm vulnerability
- →Shodan query for exposed SolarWinds Web Help Desk instances using favicon hash
- →CVE-2024-28986 is a Java deserialization RCE in the AjaxProxy component; monitor for unusual deserialization-related process spawning from the WHD Java process ↗
- ·SolarWinds could not reproduce the vulnerability without authentication in their own testing, despite it being reported as unauthenticated; exploitation may require some form of authentication in certain configurations ↗
- ·WHD 12.8.3 Hotfix 1 must NOT be applied if SAML Single Sign-On (SSO) is in use; a separate patch is required for SSO environments ↗
- ·The hotfix requires the server to first be upgraded to Web Help Desk 12.8.3.1813 before the hotfix can be applied; applying to older versions is not supported ↗
- ·CVE-2024-28986 has been bypassed twice (CVE-2024-28988, then CVE-2025-26399); patching only the original hotfix is insufficient — the latest version 12.8.7 with its hotfix must be applied ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-vfrj-f292-3f24: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if expl
ghsa_unreviewed·2025-09-23·CVSS 9.8
CVE-2025-26399 [CRITICAL] CWE-502 GHSA-vfrj-f292-3f24: SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if expl
SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986.
GHSA
GHSA-g536-h677-2w32: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an
ghsa_unreviewed·2024-08-14
CVE-2024-28986 [CRITICAL] CWE-502 GHSA-g536-h677-2w32: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.
While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.
However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.
VulnCheck
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
vulncheck·2024·CVSS 9.8
CVE-2024-28986 [CRITICAL] CWE-502 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.
Affected: SolarWinds Web Help Desk
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://research.checkpoint.com/2025/29th-september-threat-intelligence-report/; https://www.enisa.europa.eu/sites/default/files/2025-10/ENISA%20Threat%20Landscape%202025.pdf
Remediation Due: 2024-09-05
CISA
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
cisa·2024-08-15·CVSS 9.8
CVE-2024-28986 [CRITICAL] CWE-502 SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Vulnerability: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Affected: SolarWinds Web Help Desk
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28986; https://nvd.nist.gov/vuln/detail/CVE-2024-28986
Remediation Due Date: 2024-09-05
No detection rules found.
Nuclei
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
nuclei·CVSS 9.8
CVE-2024-28986 [CRITICAL] SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
SolarWinds Web Help Desk < 12.8.3 - Insecure Deserialization
SolarWinds Web Help Desk before version 12.8.3 contain a critical Java deserialization vulnerability that enables remote code execution. Attackers can exploit this flaw to execute arbitrary commands on the host machine. Initially reported as unauthenticated, SolarWinds was unable to reproduce without authentication but still recommended immediate patching. With a CVSS score of 9.8, this vulnerability was discovered by Inmarsat Government researchers and added to CISA's Known Exploited Vulnerabilities Catalog due to active exploitation in the wild. The complete attack vector requires low complexity and has high impact on confidentiality, integrity, and availability. This vulnerability was later bypassed, leading to CVE-2024-28988
Checkpoint
16th March – Threat Intelligence Report
blogs_checkpoint·2026-03-16
CVE-2025-26399 16th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 16th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 16th March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
United States-based medical technology company Stryker has suffered a cyberattack that caused a global disruption to its environment. The company said its surgical robotics, clinical communications platform, and life support monitors are safe to use. Media reports said employee devices were factory reset across multiple locati
Checkpoint
2nd March – Threat Intelligence Report
blogs_checkpoint·2026-03-02
CVE-2025-59536 2nd March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 2nd March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 2nd March, please download our Threat Intelligence Bulletin.
TOP ATTACKS AND BREACHES
Wynn Resorts, a United States-based casino and hotel operator, has confirmed that employee data was accessed following an extortion threat linked to ShinyHunters. The company said operations were not disrupted. Reports indicate the stolen dataset includes HR-related information, including contact details and employment records f
Bleepingcomputer
SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
blogs_bleepingcomputer·2026-01-28·CVSS 9.8
CVE-2025-40552 [CRITICAL] SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## SolarWinds warns of critical Web Help Desk RCE, auth bypass flaws
## Sergiu Gatlan
SolarWinds has released security updates to patch critical authentication bypass and remote command execution vulnerabilities in its Web Help Desk IT help desk software.
The authentication bypass security flaws (tracked as CVE-2025-40552 and CVE-2025-40554 ) patched today by SolarWinds were reported by watchTowr's Piotr Bazydlo and can be exploited by remote unauthenticated threat actors in low-complexity attacks.
Bazydlo also found and reported a critical remote code execution (RCE) flaw ( CVE-2025-40553 ) stemming from an untrusted data deserialization weakness that can enable attackers without privileges to run commands on vulnerable hosts.
A second RCE vulnerability ( CVE-2025-40551 ) reported by
Checkpoint
29th September – Threat Intelligence Report
blogs_checkpoint·2025-09-29
CVE-2025-26399 29th September – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 29th September – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 29th September, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Stellantis, Automotive maker giant which owns Citroën, FIAT, Jeep, Chrysler, and Peugeot, has suffered a data breach that resulted in exposure of North American customer contact information after attackers accessed a third-party platform tied to its Salesforce environment. ShinyHunters threat actor claims responsibili
Bleepingcomputer
SolarWinds releases third patch to fix Web Help Desk RCE bug
blogs_bleepingcomputer·2025-09-23·CVSS 9.8
CVE-2025-26399 [CRITICAL] SolarWinds releases third patch to fix Web Help Desk RCE bug
## SolarWinds releases third patch to fix Web Help Desk RCE bug
## Bill Toulas
SolarWinds has released a hotfix for a critical a critical vulnerability in Web Help Desk that allows remote code execution (RCE) without authentication.
Tracked as CVE-2025-26399, the security issue is the company's third attempt to address an older flaw identified as CVE-2024-28986 that impacted Web Help Desk (WHD) 12.8.3 and all previous versions.
SolarWinds WHD is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance.
CVE-2025-26399 affects the latest WHD version 12.8.7 and is caused by unsafe deserialization handling in the AjaxProxy component. Successful exploitation allows an unauthenticat
Bleepingcomputer
SolarWinds fixes hardcoded credentials flaw in Web Help Desk
blogs_bleepingcomputer·2024-08-22·CVSS 9.8
[CRITICAL] SolarWinds fixes hardcoded credentials flaw in Web Help Desk
## SolarWinds fixes hardcoded credentials flaw in Web Help Desk
## Sergiu Gatlan
SolarWinds has released a hotfix for a critical Web Help Desk vulnerability that allows attackers to log into unpatched systems using hardcoded credentials.
Web Help Desk (WHD) is an IT help desk software widely used by government agencies, large corporations, and healthcare and education organizations to automate and streamline help desk management tasks. SolarWinds' IT management products are used by over 300,000 customers worldwide.
The security flaw ( CVE-2024-28987 ) addressed this Wednesday enables unauthenticated attackers to access internal functionality and modify data on targeted devices following successful exploitation. This vulnerability was discovered and reported by Zach Hanley, vulnerabilit
Checkpoint
19th August – Threat Intelligence Report
blogs_checkpoint·2024-08-19
CVE-2024-38178 19th August – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 19th August – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 19th August, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The campaign of United States presidential nominee Donald Trump has had its internal communications hacked and leaked, allegedly by an Iranian threat actor. This aligns with Microsoft’s previous identification of a related spear phishing attack by an Iranian group, raising concerns about foreign interference in the US elect
Bleepingcomputer
CISA warns critical SolarWinds RCE bug is exploited in attacks
blogs_bleepingcomputer·2024-08-16·CVSS 9.8
CVE-2024-28986 [CRITICAL] CISA warns critical SolarWinds RCE bug is exploited in attacks
## CISA warns critical SolarWinds RCE bug is exploited in attacks
## Sergiu Gatlan
CISA warned on Thursday that attackers are exploiting a recently patched critical vulnerability in SolarWinds' Web Help Desk solution for customer support.
Web Help Desk (WHD) is IT help desk software widely used by large corporations, government agencies, and healthcare and education organizations worldwide to centralize, automate, and streamline help desk management tasks.
Tracked as CVE-2024-28986 , this Java deserialization security flaw allows threat actors to gain remote code execution on vulnerable servers and run commands on the host machine following successful exploitation.
SolarWinds issued a hotfix for the vulnerability on Wednesday, a day before CISA's warning. However, the company did not
Bleepingcomputer
SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
blogs_bleepingcomputer·2024-08-14·CVSS 9.8
CVE-2024-28986 [CRITICAL] SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
## SolarWinds fixes critical RCE bug affecting all Web Help Desk versions
## Bill Toulas
A critical vulnerability in SolarWinds' Web Help Desk solution for customer support could be exploited to achieve remote code execution, the American business software developer warns in a security advisory today.
The company has released a hotfix and says that the security issue, tracked as CVE-2024-28986, is a Java deserialization that would allow an attacker to run commands on a vulnerable host machine.
Web Help Desk (WHD) is an IT help desk software that centralizes, automates, and streamlines help desk management tasks. It is widely used by large corporations, government organizations, healthcare, education, and help desk centers.
SolarWinds notes that CVE-2024-28986 was reported as a vulnera
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2024-08-13
Published
2024-08-15
Added to CISA KEV
Exploited in the wild