CISA has added three flaws to its Known Exploited Vulnerabilities (KEV) catalog, including a critical hardcoded credentials flaw in SolarWinds Web Help Desk (WHD), which the vendor addressed in late August 2024.
SolarWinds Web Help Desk is an IT service management tool used by 300,000 customers globally, including government agencies, large corporations, and healthcare organizations.
The SolarWinds flaw, identified as CVE-2024-28987, is caused by hardcoded credentials with the username “helpdeskIntegrationUser” and the password “dev-C4F8025E7.” These credentials could allow remote, unauthenticated attackers to access WHD endpoints, enabling them to view or modify data without restriction.
SolarWinds released a hotfix just four days after receiving a report from Horizon3.ai researcher Zach Hanley, who discovered the vulnerability. The company urged system administrators to upgrade to WHD version 12.8.3 Hotfix 2 or later.
CISA has now added this flaw to the KEV catalog, signaling its use in real-world attacks.
Although the U.S. government agency did not provide extensive details on the associated malicious activity, it has marked the ransomware exploitation status as unknown.
Federal agencies and government organizations in the U.S. are expected to update to a secure version or cease using the product by November 5, 2024. Given the active exploitation of CVE-2024-28987, system administrators are strongly encouraged to secure WHD endpoints before the deadline.
The two other flaws involve Windows and Mozilla Firefox, both of which are already known to be exploited in attacks. CISA has also set a November 5 deadline for federal agencies to patch these vulnerabilities.
The Windows flaw is a Kernel TOCTOU race condition, tracked as CVE-2024-30088, and was discovered to be actively exploited by Trend Micro. The cybersecurity firm attributed the malicious activity to the OilRig group (APT34), which used the flaw to gain SYSTEM-level privileges on compromised devices.
Microsoft addressed the vulnerability in its June 2024 Patch Tuesday update, though the timeline for the active exploitation remains unclear.
The Mozilla Firefox vulnerability, tracked as CVE-2024-9680, was discovered by ESET researcher Damien Schaeffer on October 8, 2024, and was patched by Mozilla within 25 hours.
According to Mozilla, ESET provided an attack chain that could allow remote code execution on a user’s device via CSS animation timelines in Firefox.
Although ESET is still analyzing the attack, a spokesperson informed BleepingComputer that the malicious activity appears to originate from Russia and is likely part of an espionage campaign.
Source: BleepingComputer, Bill Toulas
