Back to KEVs

CVE-2024-28986

SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability

Basic Information

CVE State
PUBLISHED
Reserved Date
March 13, 2024
Published Date
August 13, 2024
Last Updated
February 10, 2025
Vendor
SolarWinds
Product
Web Help Desk
Description
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.   However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

CVSS Scores

CVSS v3.1

9.8 - CRITICAL

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC Information

Exploitation
active
Automatable
Yes
Technical Impact
total

Exploit Status

Exploited in the Wild
Yes (added 2024-08-15 00:00:00 UTC) Source

References

https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28986 https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-1

Known Exploited Vulnerability Information

Source Added Date
CISA 2024-08-15 00:00:00 UTC