CVE-2024-28986

What is SolarWinds Web Help Desk?

SolarWinds Web Help Desk (WHD) is an IT service management and help desk ticketing system deployed by enterprises, government agencies, and managed service providers. See CVE-2024-28987 for full product context. The two CVEs — CVE-2024-28986 (deserialization RCE) and CVE-2024-28987 (hardcoded credential) — were discovered and patched in close sequence during August 2024, each requiring a separate hotfix (HF1 and HF2 respectively).

Overview

CVE-2024-28986 is a Java deserialization of untrusted data vulnerability (CWE-502) in SolarWinds Web Help Desk. Java deserialization vulnerabilities allow an attacker to send a crafted serialized object to the server; when deserialized, the object's code executes in the server's JVM context, achieving remote code execution. The extremely rapid CISA KEV listing — just two days after the August 13, 2024 patch — indicates either that exploitation was already confirmed in the wild before the patch was released, or that CISA had intelligence about imminent exploitation. This is one of the fastest patch-to-KEV timelines in the KEV catalog.

Affected Versions

Technical Details

The deserialization vulnerability (CWE-502) is in SolarWinds Web Help Desk's Java-based server application. WHD uses Java serialization for object communication — a well-known dangerous pattern when applied to untrusted network input. The vulnerability allows an attacker to submit a serialized Java object via the WHD network interface; WHD's deserialization code processes the object without adequate type validation.

Java deserialization exploitation: Java deserialization attacks rely on "gadget chains" — sequences of method calls triggered during the deserialization process that, when chained together, execute arbitrary OS commands. Common gadget libraries like Apache Commons Collections, Spring Framework, or other libraries present in the classpath provide the gadget chains. Tools like ysoserial generate ready-made gadget chain payloads for known vulnerable library combinations.

Execution context: Code executed via Java deserialization runs as the WHD service account — typically a Windows service account or a local system account with elevated privileges on the server.

No authentication requirement: The CVSS score reflects that no credentials are needed to trigger the deserialization — the vulnerable endpoint is reachable by unauthenticated attackers with network access to WHD.

Companion vulnerability: CVE-2024-28987 (hardcoded credentials, patched in HF2) was discovered during the same WHD security review. Both must be patched; HF1 addresses the deserialization, HF2 addresses the hardcoded credentials.

Discovery

The vulnerability was reported to SolarWinds through their vulnerability disclosure program. SolarWinds released the fix within their hotfix cadence rather than waiting for a scheduled maintenance release, indicating they assessed the severity as requiring immediate action.

Exploitation Context

CISA's 2-day KEV listing (August 15, 2024, just 2 days after the August 13, 2024 patch) is exceptional. This speed typically indicates one of: (1) CISA had pre-patch intelligence about the vulnerability from threat feeds; (2) PoC code was immediately available and exploited; or (3) CISA was coordinating with SolarWinds on the disclosure and confirmed exploitation before the public patch. SolarWinds products remain high-priority targets following the 2020 supply-chain compromise — attackers monitor SolarWinds patches closely and exploit vulnerable instances rapidly.

Remediation

1. Apply SolarWinds WHD 12.8.3 HF1 immediately to fix CVE-2024-28986. The CISA deadline was September 5, 2024.
2. Also apply WHD 12.8.3 HF2 to address the companion CVE-2024-28987 (hardcoded credentials) — both hotfixes are required for complete remediation.
3. Restrict WHD to internal network access only — the WHD web interface should not be exposed to the internet; network ACLs or a WAF should limit access to internal corporate IP ranges.
4. Monitor WHD server process activity for unexpected child processes or network connections that would indicate post-exploitation command execution.
5. Rotate WHD service account credentials if exploitation is suspected — the deserialized code executes as the service account, which may have cached credentials or domain permissions.
6. Consider isolating the WHD server until patched — given the 2-day KEV listing, this is a patch-now-or-isolate situation.