The US cybersecurity agency CISA on Thursday warned that a fresh critical-severity vulnerability in SolarWinds Web Help Desk has been exploited in attacks.
The bug, tracked as CVE-2024-28986 (CVSS score of 9.8), is described as a Java deserialization remote code execution (RCE) issue that could allow attackers to run commands on the host machine.
This week, SolarWinds announced a hotfix that addresses the vulnerability, noting that authentication is required for successful exploitation, but without mentioning its in-the-wild exploitation.
“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing,” the company said in its advisory.
https://www.securityweek.com/solarwinds-web-help-desk-vulnerability-possibly-exploited-as-zero-day/