CVE-2024-28987

What is SolarWinds Web Help Desk?

SolarWinds Web Help Desk (WHD) is an IT service management (ITSM) and help desk ticketing system used by organizations to manage IT support requests, asset tracking, and change management. WHD is deployed by IT departments in enterprises, government agencies, educational institutions, and managed service providers. Help desk systems process sensitive IT operational data: ticket contents describe system vulnerabilities, user credentials, and internal network configurations; asset inventories expose the organization's technology stack. A compromised WHD system also has potential connectivity to other IT management tools. SolarWinds became a high-profile target after the 2020 Orion supply-chain attack, and its products remain under elevated scrutiny by defenders and attackers alike.

Overview

CVE-2024-28987 is a hardcoded credential vulnerability (CWE-798) in SolarWinds Web Help Desk. The Java-based WHD application contains hardcoded credentials embedded in the application code or configuration — credentials that can be used by an unauthenticated remote attacker to access internal WHD functionality and modify data. This is a companion vulnerability to CVE-2024-28986 (Java deserialization RCE, fixed in WHD 12.8.3 HF1, KEV-listed August 2024): the hardcoded credential issue was addressed in the subsequent hotfix, WHD 12.8.3 HF2. CISA confirmed active exploitation and added it to the KEV catalog in October 2024.

Affected Versions

Technical Details

The hardcoded credential (CWE-798) vulnerability involves credentials that are baked into the WHD application code or configuration files — not configurable by administrators and not rotatable without a software update. Such credentials are often used for internal API communication, inter-service authentication, or database connectivity and are discoverable by any attacker who obtains the application binary or configuration (or independently discovers them by analyzing the application).

Access implications:

• An unauthenticated attacker who knows or discovers the hardcoded credential can authenticate to an internal WHD API endpoint as a privileged user
• This grants access to all help desk data: tickets, asset records, user accounts, stored credentials, and configuration
• The attacker can create or modify tickets, view sensitive ticket contents (which often contain passwords or vulnerability details submitted by end users), modify asset data, or create new admin accounts for persistent access

Discovery method: Hardcoded credentials in Java applications are discoverable through JAR file decompilation. Once published (in a CVE advisory, security blog, or PoC), they are trivially usable by any attacker against unpatched instances.

WHD vulnerability cluster: CVE-2024-28986 (CWE-502, deserialization RCE, KEV August 2024) and CVE-2024-28987 (CWE-798, hardcoded credentials, KEV October 2024) represent two distinct critical vulnerabilities in the same WHD 12.8.3 release cycle. Both were also preceded by SolarWinds WHD deserialization vulnerabilities tracked in earlier KEV sessions (CVE-2024-40535, CVE-2024-40536).

Exploitation Context

CISA added CVE-2024-28987 to the KEV catalog on October 15, 2024, confirming active exploitation 55 days after the HF2 patch was released. SolarWinds help desk software runs in government and critical infrastructure environments covered by CISA's BOD 22-01, making the KEV listing particularly significant for those sectors.

Remediation

1. Apply SolarWinds WHD 12.8.3 HF2 immediately. This addresses CVE-2024-28987. The CISA deadline was November 5, 2024.
2. Also apply WHD 12.8.3 HF1 if not already done — this addressed the companion deserialization RCE CVE-2024-28986. Apply both hotfixes in sequence (HF1 then HF2, or start with HF2 if it's cumulative).
3. Restrict WHD access — the Web Help Desk interface should not be exposed to untrusted networks or the internet; restrict access to internal corporate networks and VPN.
4. Audit WHD user accounts for unauthorized accounts created during the exposure window.
5. Review WHD ticket data for sensitive information that may have been accessed — tickets often contain passwords, sensitive configurations, or vulnerability details submitted by end users.
6. Monitor WHD API access logs for calls from unexpected source IP addresses using privileged endpoints.