cbcvebase.
CVE-2024-28987
published 2024-08-21

CVE-2024-28987: The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal…

PriorityP199critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-05
Exploited in the wild
EPSS
93.16%
99.8th percentile
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.

Affected

3 ranges
VendorProductVersion rangeFixed in
solarwindsweb_help_desk< 12.8.312.8.3
solarwindsweb_help_desk
solarwindsweb_help_desk

Detection & IOCsextracted from sources · hover to see the quote

otherusername: helpdeskIntegrationUser / password: dev-C4F8025E7
path/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/
otherAuthorization: Basic aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw==
snort
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Hardcoded Credentials Information Leak (CVE-2024-28987)"; flow:established,to_server; http.uri; content:"/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw=="; reference:url,www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/; reference:cve,2024-28987; classtype:attempted-admin; sid:2056167; rev:1; metadata:affected_product SolarWinds, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_25, cve CVE_2024_28987, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_09_25; target:dest_ip;)
  • Detect exploitation attempts by matching HTTP requests to the OrionTickets endpoint with the hardcoded Basic Auth header value (Base64-encoded helpdeskIntegrationUser:dev-C4F8025E7).
  • Successful exploitation responses will contain both 'displayClient' and 'shortDetail' strings in the HTTP response body with a 200 status code.
  • Use Shodan favicon hash to identify exposed SolarWinds Web Help Desk instances for proactive hunting.
  • The Metasploit auxiliary module 'auxiliary/gather/solarwinds_webhelpdesk_backdoor' can be used to validate exploitation; monitor for its use in red team or threat actor activity.
  • ·The Snort/Suricata rule (ET sid:2056167) requires TLS decryption to be effective, as the Authorization header will be encrypted in HTTPS traffic. Deploy with SSLDecrypt/TLSDecrypt capability.
  • ·Before applying Hotfix 2, servers must first be upgraded to Web Help Desk 12.8.3.1813 or 12.8.3 HF1; applying the hotfix out of order may cause issues.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.