On August 16th, Horizon3.ai Chief Attack Engineer Zach Hanely informed Solar Winds of a significant vulnerability, the SolarWinds Web Help Desk (WHD) Hardcoded Credential Vulnerability. The vulnerability is CVE-2024-28987, and was ranked 9.1 in severity.
Through the hardcoded credential vulnerability, unauthenticated users can remotely access SolarWinds WHD software to access internal functionality and modify data, the company said in an advisory attributing the discovery to Hanley..
At 8 pm last night, Solar Winds issued SolarWinds Web Help Desk 12.8.3 Hotfix 2.
Zach will publish details of the vulnerability in the near future, and today urges that the hotfix patch be applied as soon as possible. He notes that upon applying the hotfix patch, “requests to non-existent pages on patched instances will return no content / content-length 0.” as per his post on Twitter:
Like this:
Like Loading...
Related
This entry was posted on August 22, 2024 at 3:34 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
New Solar Winds Web Help Desk hardcoded credential vulnerability discovered by Horizon3.ai
On August 16th, Horizon3.ai Chief Attack Engineer Zach Hanely informed Solar Winds of a significant vulnerability, the SolarWinds Web Help Desk (WHD) Hardcoded Credential Vulnerability. The vulnerability is CVE-2024-28987, and was ranked 9.1 in severity.
Through the hardcoded credential vulnerability, unauthenticated users can remotely access SolarWinds WHD software to access internal functionality and modify data, the company said in an advisory attributing the discovery to Hanley..
At 8 pm last night, Solar Winds issued SolarWinds Web Help Desk 12.8.3 Hotfix 2.
Zach will publish details of the vulnerability in the near future, and today urges that the hotfix patch be applied as soon as possible. He notes that upon applying the hotfix patch, “requests to non-existent pages on patched instances will return no content / content-length 0.” as per his post on Twitter:
Share this:
Like this:
Related
This entry was posted on August 22, 2024 at 3:34 pm and is filed under Commentary with tags horizon3.ai. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.