cbcvebase.
CVE-2024-28988
published 2025-09-01

CVE-2024-28988: SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker…

PriorityP184critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
36.62%
98.3th percentile
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research. We recommend all Web Help Desk customers apply the patch, which is now available. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Affected

5 ranges
VendorProductVersion rangeFixed in
solarwindsweb_help_desk<= 12.8.6
solarwindsweb_help_desk<= 12.8.2
solarwindsweb_help_desk
solarwindsweb_help_desk
solarwindsweb_help_desk

Detection & IOCsextracted from sources · hover to see the quote

path/helpdesk/WebObjects/Helpdesk.woa
path/bin/webapps/helpdesk/WEB-INF/lib/
otherhttp.favicon.hash:"1895809524"
filenamec3p0.jar
filenamewhd-core.jar
filenameHikariCP.jar
  • Detect vulnerable SolarWinds Web Help Desk instances by requesting the Helpdesk.woa endpoint and matching version strings below 12.8.3.0 extracted from the build token query parameter pattern.
  • Match HTTP response body for SolarWinds WHD-specific strings to confirm product presence before version-checking.
  • Use Shodan favicon hash to identify exposed SolarWinds Web Help Desk instances on the internet.
  • CVE-2024-28988 is a patch bypass of CVE-2024-28986, targeting unsafe deserialization in the AjaxProxy component; monitor for unauthenticated POST requests to AjaxProxy endpoints on WHD servers.
  • ·The vulnerability was initially reported as unauthenticated, but SolarWinds was unable to reproduce it without authentication; exploitation requirements may vary.
  • ·CVE-2024-28988 is itself a patch bypass of CVE-2024-28986, and was subsequently bypassed again by CVE-2025-26399; patching to 12.8.3 or 12.8.7 alone may not be sufficient without applying the latest hotfix.
  • ·The hotfix for the latest bypass (CVE-2025-26399) requires WHD version 12.8.7 to be installed first before applying the hotfix JARs.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.