SolarWinds has released updates to eliminate a critical vulnerability in its WEB Help Desk (WHD) software. The problem, identified as CVE-2024-28987, has been rated at 9.1 points according to the CVSS system. This vulnerability allows remote non-assigned users to gain unauthorized access to vulnerable parts of the system.
The security researcher from Horizon3, Zach Hanley, was credited with detecting and reporting this issue. The vulnerability is linked to the presence of encoded accounting data within the software.
Users are advised to update their software to version 12.8.3 Hotfix 2 to protect against this vulnerability. However, prior installation of either Web Help Desk 12.8.3.1813 or 12.8.3 HF1 is required for successful utilization of this update.
This incident follows closely on the heels of SolarWinds releasing an update to address another critical vulnerability in the same software, capable of enabling arbitrary code execution (CVE-2024-28986, CVSS Score: 9.8).
According to US cybersecurity agencies (CISA), this vulnerability is actively being exploited in real attacks, though specific details of its exploitation are currently unknown.
Further information on CVE-2024-28987 is anticipated to be released next month. It is crucial for users to promptly install security updates in order to mitigate potential risks.