Critical hardcoded SolarWinds credential now exploited in the wild

A critical, hardcoded login credential in SolarWinds' Web Help Desk line has been exploited in the wild by criminals, according to the US Cybersecurity and Infrastructure Security Agency, which has added the security blunder to its Known Exploited Vulnerabilities (KEV) Catalog.

This 9.1 CVSS-rated oversight allows remote, unauthenticated attackers to log into vulnerable instances via these baked-in creds, and then access internal functionality and modify sensitive data.

This is the SolarWinds best known for the backdoor maliciously added to its Orion suite in a supply-chain attack by Russia on public and private organizations around the world.

While we don't have any details about the scope of this latest exploitation, the software maker did correct its error in late August.

"We have seen no threat activity against patched instances and encourage all customers to update SolarWInds Web Help Desk (WHD) 12.8.3 HF1 and all previous versions to 12.8.3 HF2," a SolarWinds spokesperson told The Register, while sidestepping our questions about the exploit scope.

CISA declined to provide extra information about the bug or how miscreants have abused it, beyond what's provided in the KEV.

The security oversight, tracked as CVE-2024-28987, affects Web Help Desk 12.8.3 HF1 and all previous versions, and has been fixed in 12.8.3 HF2. Note: the patch needs to be manually installed, and if you haven't already done so, add this to the to-do list.

As of late September, about 827 instances of SolarWinds Web Help Desk remained publicly exposed to the internet, according to Zach Hanley, a vulnerability researcher at Horizon3.ai who found and disclosed the flaw to SolarWinds.

"When assessing the exposure of our own clients, we found that organizations typically revealed sensitive process information for IT procedures such as user onboarding, password resets, and accessing shared resources," Hanley said at the time.

• SolarWinds left critical hardcoded credentials in its Web Help Desk product
• Thousands of Fortinet instances vulnerable to actively exploited flaw
• Cisco confirms 'ongoing investigation' after crims brag about selling tons of data
• Schools bombarded by nation-state attacks, ransomware gangs, and everyone in between

"While this vulnerability does not lead to fully compromising the WHD server itself, we found the risk of lateral movement via credentials was high," he wrote.

WHD is popular with state and local governments, and the education sector, Hanley added.

This is SolarWinds' second actively exploited bug in this same product in two months.

On August 13, the software maker released a hotfix for a critical deserialization remote code execution vulnerability in WHD, this one receiving a 9.8 CVSS severity rating. The flaw, tracked as CVE-2024-28986, was added to CISA's Known Exploited Vulnerabilities catalog two days later. ®