The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is warning that threat actors are actively exploiting a two-month-old critical vulnerability in SolarWinds Web Help Desk (WHD), used by organizations to efficiently accept, track, and respond to support requests. The flaw, designated CVE-2024-28987, is a hardcoded credential vulnerability that could be leveraged by unauthenticated threat actors to remotely read and modify help desk tickets, which often contain sensitive information like passwords and shared account credentials.
SolarWinds released a patch to address CVE-2024-28987 in August 2024. Just one week before, the company had released a patch to address a different critical vulnerability in WHD, CVE-2024-28986, which could lead to arbitrary code execution when exploited.
CISA has added CVE-2024-28987 to its Known Exploited Vulnerability (KEV) catalog and has issued an order to federal agencies to patch their systems by November 5. The agency did not share further details on how CVE-2024-28987 was being exploited or by which threat actor.
Source: The Hacker News
Analysis
The exploitation of CVE-2024-28987 highlights the importance of organizations having a mechanism to identify and patch vulnerable devices and software within a reasonable time frame. If every organization were to do this, threat actors would have a significantly smaller attack surface.
Vulnerabilities in SolarWinds products have been a popular target for threat actors in 2024. In addition to the exploitation of CBE-2024-28987, in June 2024, a high-severity directory transversal vulnerability in SolarWinds Serv-U software was quickly exploited after proof-of-concept (PoC) code was publicly released by an overly eager cybersecurity company before admins had the chance to patch their systems.
While there’s no doubt that SolarWinds products have a history of being targeted by threat actors, it’s hard to say if this is due to perceived security lapses in coding or if SolarWinds users are just particularly interesting to threat actors.
For example, when Russia’s Foreign Intelligence Service (SVR) infiltrated SolarWinds internal systems and injected malicious code into SolarWinds Orion builds, they were able to deploy the Sunburst backdoor on thousands of systems, impacting 96% of Fortune 500 companies, as well as many U.S. government departments.
Mitigation
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in services like Web Help Desk. Field Effect MDR users are automatically notified if a vulnerable service, software, or device is detected in their environment and are encouraged to review these AROs as quickly as possible via the Field Effect Portal.
Field Effect strongly recommends that impacted users install the patch as soon as possible, in accordance with SolarWinds original advisory.
Related Articles
