Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

SolarWinds left some serious security flaws in its Web Desk Help platform, and now it's under attack

Shadowed hands on a digital background reaching for a login prompt.

Security researchers have uncovered a critical-severity vulnerability in one of SolarWinds' most popular software products.

SolarWinds' Web Help Desk is a web-based IT service management software that streamlines and automates help desk ticketing, asset management, and IT service management processes. It offers features like ticketing, incident and problem management, and a self-service portal, designed to improve the efficiency and responsiveness of IT support teams.

The bug, discovered by cybersecurity researcher Zach Hanley, from Horizon3.ai, is a simple (but too-often-seen) oversight - hardcoded admin credentials were left in the product. The vulnerability is tracked as CVE-2024-28987, and carries a severity score of 9.1/10. It affects Web Help Desk 12.8.3 HF1 and all previous versions.

The earliest clean version is 12.8.3 HF2.

Hardcoded credentials everywhere

A patch is already available, but it needs to be manually installed. Since the flaw allows unauthenticated threat actors to log into vulnerable endpoints, and fiddle with the data found there, users are urged to install the fix immediately.

One would think that for a product used by government, education, healthcare, and telecommunications companies (to name a few), such a simple error would not happen. However, hardcoded credentials are a frequent occurrence.

In October 2023, Cisco Emergency Responder (CER), the company’s emergency communication system used to respond to crises in a timely manner, had hardcoded credentials. In March 2024, researchers found that millions of GitHub projects had the same problem.

During the development stage, many IT pros would hardcode different authentication secrets in order to make their lives easier. However, they often forget to remove the secrets before publishing the code. Thus, should any malicious actors discover these secrets, they would get easy access to private resources and services, which can result in data breaches and similar incidents.

Via The Register

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.