Attacker Value
High
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
3

CVE-2024-28986

Disclosure Date: August 13, 2024
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.

While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.  

However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Add Assessment

1
Ratings
  • Attacker Value
    High
Technical Analysis

On Aug 9, 2024, SolarWinds published an advisory for CVE-2024-28986, with a CVSS score of 9.8 (Critical), affecting the Web Help Desk product.

Described as an unauthenticated deserialization vulnerability that allows for RCE, in the vendor description, SolarWinds were unable to replicate the unauthenticated portion of the vulnerability. Instead SolarWinds were only able to replicate the vulnerability with authentication (i.e. valid credentials were required to trigger the vulnerability). This is a discrepancy given the CVSS rating specifies Privileges Required of None. It is unclear how this vulnerability was reported to SolarWinds, as no credit is given in the advisory. So we do not have another source of information to help clarify this discrepancy. On August 15, 2024, this vulnerability was added to the CISA KEV list, for known exploitation in the wild.

Therefore, we know that at least one exploit exists, due to the confirmed exploitation in the wild, however, to the best of my knowledge, there is no known public exploit code available.

I have rated the attacker value as High, as deserialization vulnerabilities are a reliable method to achieve RCE against a target. However the internet exposure of Web Help Desk is relatively small, with Shadowserver reporting around 800 instances of Web Help Desk on the public internet (as of Aug 18, 2024).

Due to the lack of any public exploit code I have not rated the exploitability, as we cannot know this without the availability of a suitable technical analysis or exploit code.

CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • solarwinds

Products

  • web help desk,
  • web help desk 12.8.3

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis