CVE-2024-28987: 
SolarWinds Web Help Desk vulnerability analysis and mitigation

The SolarWinds Web Help Desk (WHD) software was found to contain a hardcoded credential vulnerability identified as CVE-2024-28987. This critical vulnerability allows remote unauthenticated users to access internal functionality and modify data within the system. The vulnerability affects WHD version 12.8.3 HF1 and all previous versions, with a fix available in version 12.8.3 HF2. The vulnerability was discovered in August 2024 and received a Critical CVSS score of 9.1 (SolarWinds Advisory, Horizon3 Research).

The vulnerability stems from hardcoded developer login credentials embedded directly in the code, specifically "helpdeskIntegrationUser" and "dev-C4F8025E7". Unlike other credentials that are retrieved from global declarations in AppProperties, these credentials were directly referenced in the code. The vulnerability exists in the OrionTicketController, which extends the BasicAuthRouteController for performing authentication, and notably has no restrictions on the requesting IP address being localhost like many other controllers enforce (Horizon3 Research).

The vulnerability enables unauthorized access to help desk ticket details, which often contain sensitive information such as passwords from reset requests and shared service account credentials. This is particularly concerning as WHD is used across government, education, healthcare, nonprofit, and telecommunications sectors (The Register).

SolarWinds has released version 12.8.3 Hotfix 2 (HF2) to address this vulnerability. Organizations are strongly advised to upgrade to this version immediately. The patch must be manually installed, and after application, requests to non-existent pages on patched instances will return no content with content-length 0 (SolarWinds Advisory).

The discovery of this vulnerability has raised particular concern given SolarWinds' previous security incidents, including the notorious Russian spy campaign that compromised their Orion software. The security community has emphasized the urgency of patching this vulnerability, with researchers and security firms strongly recommending immediate remediation (The Register).