IT management software provider SolarWinds has urged customers to immediately patch a critical vulnerability in its Web Help Desk platform.
CVE-2024-28986 is a Java deserialization remote code execution (RCE) bug discovered by Inmarsat Government researchers, according to an advisory published yesterday.
“SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine,” it explained.
“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.”
The vendor said that all versions of Web Help Desk (WHD) should be upgraded to WHD 12.8.3, and then the hotfix should be installed.
CVE-2024-28986 has been given a CVSS v3 score of 9.8, illustrating the criticality of patching the issue immediately. SolarWinds has published instructions on how to upgrade to WHD 12.8.3 and install the hotfix, as well as how to uninstall it if required.
Read more on SolarWinds: Three More Vulnerabilities Found in SolarWinds Products
The firm also suggested that customers backup several files before applying the hotfix.
SolarWind Faces Legal Scrutiny
In July a US judge dismissed most of the charges brought by the SEC against SolarWinds for a 2021 security breach which impacted thousands of customers.
He ruled that claims that SolarWinds and CISO Timothy Brown concealed the firm’s security weaknesses after the incident, thereby defrauding their investors, were based on “hindsight and speculation.”
The judge also dismissed SEC claims that the firm effectively hid cybersecurity weaknesses in its products before the attack.
However, he did rule that there are legitimate concerns about the failure of security controls embedded in SolarWinds products.