Security News > 2024 > August > Critical RCE bug in SolarWinds Web Help Desk fixed (CVE-2024-28986)
SolarWinds has fixed a critical vulnerability in its Web Help Desk solution that may allow attackers to run commands on the host machine.
"While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available," the company advises.
SolarWinds Web Help Desk is a web-based IT help desk solution popular with SMBs, enterprises and managed service providers.
CVE-2024-28986 has been privately disclosed by security researchers and fixed with their help.
SolarWinds instructs customers to immediately upgrade their installations to version 12.8.3, apply the provided hotfix - Web Help Desk 12.8.3 Hotfix 1 - and install it.
While SolarWinds strongly recommends that customers install Web Help Desk on a server that is protected from unauthorized access by the public and is not internet-facing, there are surely some customers who have ignored the advice.
News URL
https://www.helpnetsecurity.com/2024/08/15/cve-2024-28986/
Related news
- PoC exploit for critical WhatsUp Gold RCE vulnerability released (CVE-2024-8785) (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)
- Veeam Issues Patch for Critical RCE Vulnerability in Service Provider Console (source)
- Apache issues patches for critical Struts 2 RCE bug (source)
- BeyondTrust fixes critical vulnerability in remote access, support solutions (CVE-2024-12356) (source)
- Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks (source)
- Apache MINA CVE-2024-52046: CVSS 10.0 Flaw Enables RCE via Unsafe Serialization (source)
- Critical RCE Flaw in GFI KerioControl Allows Remote Code Execution via CRLF Injection (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-08-13 | CVE-2024-28986 | Deserialization of Untrusted Data vulnerability in Solarwinds web Help Desk SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. | 9.8 |