SolarWinds has issued an update to address a hardcoded credential vulnerability in its Web Help Desk product that could allow remote unauthenticated users to access internal functionality, log into vulnerable instances, and modify sensitive data, The Register reports.
Web Help Desk is the asset management and help desk ticketing software of SolarWinds. The security flaw, tracked as CVE-2024-28987, received a 9.1 severity rating in the Common Vulnerability Scoring System. The security blunder affects Web Help Desk 12.8.3 HF1 and its previous versions, and users are encouraged to manually install the 12.8.3 HF2 to potentially remove the baked-in creds. Horizon3.ai vulnerability researcher Zach Henley discovered and disclosed the bug to SolarWinds on Friday, and has pledged to release more details about the security flaw next month.
Hanley encourages organizations to immediately install the hotflix, noting that after the patch installation, "requests to non-existent pages on patched instances will return no content / content-length 0."