CVE-2024-28987
published 2024-08-21CVE-2024-28987: The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal…
PriorityP199critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2024-11-05
Exploited in the wild
EPSS
93.16%
99.8th percentile
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| solarwinds | web_help_desk | < 12.8.3 | 12.8.3 |
| solarwinds | web_help_desk | — | — |
| solarwinds | web_help_desk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Hardcoded Credentials Information Leak (CVE-2024-28987)"; flow:established,to_server; http.uri; content:"/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw=="; reference:url,www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/; reference:cve,2024-28987; classtype:attempted-admin; sid:2056167; rev:1; metadata:affected_product SolarWinds, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_25, cve CVE_2024_28987, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, tag CISA_KEV, updated_at 2024_09_25; target:dest_ip;)
- →Detect exploitation attempts by matching HTTP requests to the OrionTickets endpoint with the hardcoded Basic Auth header value (Base64-encoded helpdeskIntegrationUser:dev-C4F8025E7). ↗
- →Successful exploitation responses will contain both 'displayClient' and 'shortDetail' strings in the HTTP response body with a 200 status code. ↗
- →Use Shodan favicon hash to identify exposed SolarWinds Web Help Desk instances for proactive hunting. ↗
- →The Metasploit auxiliary module 'auxiliary/gather/solarwinds_webhelpdesk_backdoor' can be used to validate exploitation; monitor for its use in red team or threat actor activity. ↗
- ·The Snort/Suricata rule (ET sid:2056167) requires TLS decryption to be effective, as the Authorization header will be encrypted in HTTPS traffic. Deploy with SSLDecrypt/TLSDecrypt capability. ↗
- ·Before applying Hotfix 2, servers must first be upgraded to Web Help Desk 12.8.3.1813 or 12.8.3 HF1; applying the hotfix out of order may cause issues. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vulncheck9.1CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4jq7-4qmf-m333: The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access intern
ghsa_unreviewed·2024-08-22
CVE-2024-28987 [CRITICAL] CWE-798 GHSA-4jq7-4qmf-m333: The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access intern
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
VulnCheck
SolarWinds Web Help Desk Hardcoded Credential Vulnerability
vulncheck·2024·CVSS 9.1
CVE-2024-28987 [CRITICAL] CWE-798 SolarWinds Web Help Desk Hardcoded Credential Vulnerability
SolarWinds Web Help Desk Hardcoded Credential Vulnerability
SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data.
Affected: SolarWinds Web Help Desk
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://info.greynoise.io/hubfs/resources/GreyNoise-2025-Mass-Internet-Exploitation-Report.pdf; https://cyble.com/blog/week-in-vulnerabilities-ivanti-flagged-by-cyble/
Exploit PoC: https://vulncheck.com/xdb/d11c0c1a7a29; https://vulncheck.com/xdb/1378be70d8dd; https://vulncheck.com/xdb/cb33e9cd9
CISA
SolarWinds Web Help Desk Hardcoded Credential Vulnerability
cisa·2024-10-15·CVSS 9.1
CVE-2024-28987 [CRITICAL] CWE-798 SolarWinds Web Help Desk Hardcoded Credential Vulnerability
Vulnerability: SolarWinds Web Help Desk Hardcoded Credential Vulnerability
Affected: SolarWinds Web Help Desk
SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987 ; https://nvd.nist.gov/vuln/detail/CVE-2024-28987
Remediation Due Date: 2024-11-05
Suricata
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Hardcoded Credentials Information Leak (CVE-2024-28987)
suricata·2024-09-25·CVSS 9.1
CVE-2024-28987 [CRITICAL] ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Hardcoded Credentials Information Leak (CVE-2024-28987)
ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Hardcoded Credentials Information Leak (CVE-2024-28987)
Rule: alert http1 any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SolarWinds Web Help Desk Hardcoded Credentials Information Leak (CVE-2024-28987)"; flow:established,to_server; http.uri; content:"/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/"; fast_pattern; http.header; content:"Authorization|3a 20|Basic|20|aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6ZGV2LUM0RjgwMjVFNw=="; reference:url,www.horizon3.ai/attack-research/cve-2024-28987-solarwinds-web-help-desk-hardcoded-credential-vulnerability-deep-dive/; reference:cve,2024-28987; classtype:attempted-admin; sid:2056167; rev:1; metadata:affected_product SolarWinds, attack_target Server, tls_state TLSDecrypt, created_at 2024_09_25, cve CVE_2024_
Metasploit
SolarWinds Web Help Desk Backdoor (CVE-2024-28987)
metasploit·CVSS 9.1
CVE-2024-28987 [CRITICAL] SolarWinds Web Help Desk Backdoor (CVE-2024-28987)
SolarWinds Web Help Desk Backdoor (CVE-2024-28987)
This module exploits a backdoor in SolarWinds Web Help Desk <= v12.8.3 to retrieve all tickets from the system.
Nuclei
SolarWinds Web Help Desk - Hardcoded Credential
nuclei·CVSS 9.1
CVE-2024-28987 [CRITICAL] SolarWinds Web Help Desk - Hardcoded Credential
SolarWinds Web Help Desk - Hardcoded Credential
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
Template:
id: CVE-2024-28987
info:
name: SolarWinds Web Help Desk - Hardcoded Credential
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
impact: |
Attackers with knowledge of the hardcoded credentials can gain unauthorized access to the SolarWinds Web Help Desk system.
remediation: |
Update SolarWinds Web Help Desk to a version that removes the hardcod
Bleepingcomputer
SolarWinds Web Help Desk flaw is now exploited in attacks
blogs_bleepingcomputer·2024-10-16·CVSS 9.1
[CRITICAL] SolarWinds Web Help Desk flaw is now exploited in attacks
## SolarWinds Web Help Desk flaw is now exploited in attacks
## Bill Toulas
CISA has added three flaws to its 'Known Exploited Vulnerabilities' (KEV) catalog, among which is a critical hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) that the vendor fixed in late August 2024.
SolarWinds Web Help Desk is an IT help desk suite used by 300,000 customers worldwide, including government agencies, large corporations, and healthcare organizations.
The SolarWinds flaw is tracked as CVE-2024-28987 and is caused by hardcoded credentials, a username of "helpdeskIntegrationUser" and password of "dev-C4F8025E7". Using these credentials, remote unauthenticated attackers could potentially access WHD endpoints and access or modify data without restriction.
SolarWinds issued a hotfix four
Bleepingcomputer
SolarWinds fixes hardcoded credentials flaw in Web Help Desk
blogs_bleepingcomputer·2024-08-22·CVSS 9.8
[CRITICAL] SolarWinds fixes hardcoded credentials flaw in Web Help Desk
## SolarWinds fixes hardcoded credentials flaw in Web Help Desk
## Sergiu Gatlan
SolarWinds has released a hotfix for a critical Web Help Desk vulnerability that allows attackers to log into unpatched systems using hardcoded credentials.
Web Help Desk (WHD) is an IT help desk software widely used by government agencies, large corporations, and healthcare and education organizations to automate and streamline help desk management tasks. SolarWinds' IT management products are used by over 300,000 customers worldwide.
The security flaw ( CVE-2024-28987 ) addressed this Wednesday enables unauthenticated attackers to access internal functionality and modify data on targeted devices following successful exploitation. This vulnerability was discovered and reported by Zach Hanley, vulnerabilit
Greynoiseio
NoiseLetter October 2024
blogs_greynoiseio
NoiseLetter October 2024
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987https://www.theregister.com/2024/08/22/hardcoded_credentials_bug_solarwinds_whd/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28987
2024-08-21
Published
2024-10-15
Added to CISA KEV
Exploited in the wild