The U.S. Cybersecurity and Infrastructure Safety Company (CISA) on Tuesday added a vital security flaw impacting SolarWinds Internet Assist Desk (WHD) software program to its Identified Exploited Vulnerabilities (KEV) catalog, citing proof of energetic exploitation.
Tracked as CVE-2024-28987 (CVSS rating: 9.1), the vulnerability pertains to a case of hard-coded credentials that may very well be abused to achieve unauthorized entry and make modifications.
“SolarWinds Internet Assist Desk accommodates a hardcoded credential vulnerability that might permit a distant, unauthenticated consumer to entry inside performance and modify information,” CISA mentioned in an advisory.
Particulars of the flaw have been first disclosed by SolarWinds in late August 2024, with cybersecurity agency Horizon3.ai releasing extra technical specifics a month later.
The vulnerability “permits unauthenticated attackers to remotely learn and modify all assist desk ticket particulars – typically containing delicate info like passwords from reset requests and shared service account credentials,” security researcher Zach Hanley mentioned.
It is at the moment not clear how the shortcoming is being exploited in real-world assaults, and by whom. That mentioned, the event comes two months after CISA added one other flaw in the identical software program (CVE-2024-28986, CVSS rating: 9.8) to the KEV catalog.
In gentle of energetic abuse, Federal Civilian Government Department (FCEB) companies are required to use the most recent fixes (model 12.8.3 Hotfix 2 or later) by November 5, 2024, to safe their networks.
