The Cybersecurity and Infrastructure Security Agency (CISA) added an actively exploited hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) software to its Known Exploited Vulnerabilities (KEV) catalog on Oct. 15.
The WHD flaw — CVE-2024-28987 (CVSS 9.1) — could let a remote unauthenticated user access internal network functionality without detection and then modify data, an especially serious issue because so much of what’s done at a help desk involves resetting sensitive password information.
Details of the flaw were first disclosed by SolarWinds in late August, with cybersecurity firm Horizon3.ai releasing additional technical specifics a month later.
Citing its finding of open exploitation, CISA has required federal agencies to fix the flaw by Nov. 5 — a move that security experts said also makes sense for commercial enterprises.
“CISA KEV vulnerabilities land on their list because they’ve been observed to be exploited in the wild,” said Zach Hanley, chief attack engineer at Horizon3.ai, and author of the Horizon3.ai report. “Not every bad actor has the same intentions, and while federal organizations may be valuable targets for foreign nation states, the private sector may be just as valuable for some other motives, such as financial gain.”
Omri Weinberg, co-founder and CRO at DoControl, said a hardcoded credentials flaw leaves the network doors wide open to attackers.
“While CISA's directive is aimed at federal agencies, corporate security teams need to treat this with the same urgency,” said Weinberg, who pointed to three reasons why businesses must also pay attention to this flaw:
- Help desk systems are treasure troves of sensitive information: All the work on a help desk, including password reset requests and service account credentials, require detailed system information. If compromised, Weinberg said it's like handing over the keys to the IT kingdom.
- The ease of exploitation: This isn't some complex, multi-step attack. It’s about unauthenticated, remote access, practically a “walk-in- the-park” for skilled attackers.
- Once inside the network, attackers can modify data: This isn't just about data theft — it's about potential service disruptions, falsified tickets, and a complete erosion of trust in an organization's support infrastructure.
Chen Burshan, chief executive officer of Skyhawk Security, pointed out that the latest SolarWinds vulnerability is essentially another case of leaked credentials. Burshan said hardcoded credentials are an unfortunate mistake with immense potential impact.
“Enterprises are no less exposed to this type of risk than federal agencies and to extent maybe even more,” said Burshan. “Recent IBM research has pointed out that in 70% of the cloud attacks, the attacker is logging in using leaked credentials, not breaking in.”