A critical, hardcoded credential bug in SolarWinds' Web Help Desk products has been found and exploited by criminals, according to the US Cybersecurity and Infrastructure Security Agency, which has added the flaw to its Known Exploited Vulnerabilities Catalog.

This 9.1 CVSS-rated flaw allows remote, unauthenticated attackers to log into vulnerable instances via these baked-in creds, and then access internal functionality and modify sensitive data.

While we don't have any details about the scope of these exploits, the software maker did fix the flaw in late August.

"We have seen no threat activity against patched instances and encourage all customers to update SolarWInds Web Help Desk (WHD) 12.8.3 HF1 and all previous versions to 12.8.3 HF2," a SolarWinds spokesperson told The Register, while sidestepping our questions about the exploit scope.

CISA declined to provide extra information about the bug, or how miscreants have abused it, beyond what's provided in the KEV.

The security oversight, tracked as CVE-2024-28987, affects Web Help Desk 12.8.3 HF1 and all previous versions, and has been fixed in 12.8.3 HF2. Note: the patch needs to be manually installed, and if you haven't already done so, add this to the to-do list or expect to be pwned.

As of late September, about 827 instances of SolarWinds Web Help Desk remained publicly exposed to the internet, according to Zach Hanley, a vulnerability researcher at Horizon3.ai who found and disclosed the flaw to SolarWinds.

"When assessing the exposure of our own clients, we found that organizations typically revealed sensitive process information for IT procedures such as user onboarding, password resets, and accessing shared resources," Hanley said at the time.

"While this vulnerability does not lead to fully compromising the WHD server itself, we found the risk of lateral movement via credentials was high," he wrote.

WHD is popular with state and local governments, and the education sector, Hanley added.

This is SolarWinds' second actively exploited bug in this same product in two months.

On August 13, the software maker released a hotfix for a critical deserialization remote code execution vulnerability in WHD, this one receiving a 9.8 CVSS severity rating. The flaw, tracked as CVE-2024-28986, was added to CISA's Known Exploited Vulnerabilities catalog two days later. ®

https://www.theregister.com//2024/10/16/solarwinds_critical_hardcoded_credential_bug/