CISA Issues Warning: SolarWinds’ RCE Vulnerability Being Exploited

August 16, 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has raised an alarm about the exploitation of a recently patched critical vulnerability in SolarWinds' Web Help Desk solution. This software is commonly used by large corporations, government agencies, and organizations in the healthcare and education sectors for managing help desk tasks.

The security flaw, tracked as CVE-2024-28986, is a Java deserialization issue that allows threat actors to execute remote code on vulnerable servers and run commands on the host machine following successful exploitation.

SolarWinds released a hotfix for the vulnerability a day prior to the CISA's warning. The company, however, did not reveal any information regarding exploitation in the wild, although it advised all administrators to apply the fix to vulnerable devices. "While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available," SolarWinds stated.

The company also noted that the hotfix should not be applied if SAML Single Sign-On (SSO) is in use. A new patch addressing this issue will be available soon. SolarWinds published a support article providing detailed instructions on how to apply and remove the hotfix, with a warning that admins must upgrade vulnerable servers to Web Help Desk 12.8.3.1813 before installing the hotfix. It also recommended creating backups of the original files before replacing them during the installation process to avoid potential issues if the hotfix deployment fails or is not correctly applied.

CISA added CVE-2024-28986 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch their WHD servers within three weeks, until September 5, as required by the Binding Operational Directive (BOD) 22-01.

Earlier this year, SolarWinds also patched multiple critical remote code execution (RCE) flaws in its Access Rights Manager (ARM) software. In June, cybersecurity firm GreyNoise warned that threat actors were already exploiting a SolarWinds Serv-U path-traversal vulnerability, only two weeks after SolarWinds released a hotfix and days after proof-of-concept (PoC) exploits were published online. SolarWinds claims that its IT management products are being used by over 300,000 customers globally.

Latest News

• Microsoft Suspends BitLocker Security Patch, Recommends Manual Mitigation
• Black Basta Ransomware Group Linked to New Malware Campaign
• Critical Zero-Click Windows TCP/IP RCE Vulnerability Affects All IPv6-Enabled Systems: Urgent Patch Needed
• Windows SmartScreen Security Bypass Vulnerability Exploited Since March Now Patched
• Microsoft's August 2024 Patch Tuesday Addresses Nine Zero-Days, Six Currently Exploited