SolarWinds left hardcoded credentials in its Web Help Desk product that can be used by remote, unauthenticated attackers to log into vulnerable instances, access internal functionality, and modify sensitive data
The software maker has now issued an update to address that critical oversight; its users are encouraged to install the fix, which presumably removes the baked-in creds.
The security blunder, tracked as CVE-2024-28987, received a 9.1-out-of-10 CVSS severity rating. It affects Web Help Desk 12.8.3 HF1 and all previous versions, and has been fixed in 12.8.3 HF2. The hotfix patch, issued yesterday, has to be manually installed.
WHD is SolarWinds’ IT help desk ticketing and asset management software
[…]
Yes, we’re talking about the same supplier that had a backdoor silently added to its IT monitoring suite Orion by Russian spies so that the snoops could then infiltrate SolarWinds’ customer networks including US government departments.
[…]
Source: SolarWinds left hardcoded credentials in helpdesk product • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft