Executive Summary
In June 2024, SolarWinds disclosed and patched multiple critical vulnerabilities in its Web Help Desk software, including an authentication bypass (CVE-2024-28995) and a remote command execution (RCE) flaw. These security issues, if left unpatched, allow attackers to compromise systems with minimal or no authentication, granting them access to execute arbitrary commands and potentially control affected servers. SolarWinds urged its customers to update immediately and disclosed that no in-the-wild exploitation had been confirmed at the time of announcement, but the severity of the flaws warranted immediate action across enterprise environments.
This incident is particularly relevant due to a surge in software supply chain and IT management platform attacks, where adversaries exploit widely used admin tools to gain privileged access. Critical RCE and authentication vulnerabilities present potent risks to organizations, intensifying regulatory scrutiny and heightening the importance of timely patch management and proactive security measures.
Why This Matters Now
The disclosure of critical RCE and authentication bypass vulnerabilities in an IT management platform like SolarWinds Web Help Desk underscores the ongoing risks posed by insecure or unpatched administrative tools. Given the platform’s widespread use, rapid exploitation is likely if systems remain unpatched, creating urgent exposure for organizations across all industries.
Attack Path Analysis
The attacker exploited authentication bypass and remote command execution flaws in SolarWinds Web Help Desk to gain initial access. Following compromise, the adversary likely escalated privileges within the application or associated workload. With elevated access, the attacker attempted lateral movement to other services or infrastructure within the cloud environment. Establishing command and control, the threat actor may have set up outbound communications to receive instructions or exfiltrate data. The adversary then attempted to exfiltrate sensitive information using authorized or covert channels. Finally, the attacker could impact operations by modifying, deleting, or manipulating critical IT resources managed by the compromised help desk software.
Kill Chain Progression
Initial Compromise
Description
Attacker exploited a critical authentication bypass and remote command execution vulnerability in SolarWinds Web Help Desk to gain unauthorized access.
Related CVEs
CVE-2024-28986
CVSS 9.8A deserialization of untrusted data vulnerability in SolarWinds Web Help Desk allows remote code execution.
Affected Products:
SolarWinds Web Help Desk – < 12.8.3
Exploit Status:
exploited in the wildCVE-2024-28987
CVSS 9.1A hardcoded credential vulnerability in SolarWinds Web Help Desk allows remote unauthenticated access to internal functionality and data modification.
Affected Products:
SolarWinds Web Help Desk – < 12.8.3
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Defense Evasion
Valid Accounts
Exploitation for Privilege Escalation
Exploitation for Client Execution
Phishing
Network Sniffing
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Public-Facing Web Application Security
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 8
CISA ZTMM 2.0 – Strong Authentication
Control ID: Identity - 2.1
NIS2 Directive – Technical and Organisational Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Critical RCE and authentication bypass vulnerabilities in SolarWinds Web Help Desk expose IT service providers to complete system compromise and lateral movement across client networks.
Computer Software/Engineering
Software development organizations using SolarWinds help desk solutions face severe risks of unauthorized access, code repository compromise, and intellectual property theft through privilege escalation.
Financial Services
Banking and financial institutions utilizing Web Help Desk for IT support face regulatory compliance violations and potential data exfiltration of sensitive customer financial information.
Health Care / Life Sciences
Healthcare organizations risk HIPAA violations and patient data breaches through exploited help desk systems, enabling attackers to access protected health information and medical records.
Sources
- SolarWinds warns of critical Web Help Desk RCE, auth bypass flawshttps://www.bleepingcomputer.com/news/security/solarwinds-warns-of-critical-web-help-desk-rce-auth-bypass-flaws/Verified
- SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerabilityhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28986Verified
- SolarWinds Web Help Desk Hardcoded Credential Vulnerabilityhttps://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987Verified
- CISA Known Exploited Vulnerabilities Cataloghttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28986Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident demonstrates clear CNSF and Zero Trust applicability, as each attack stage exploited gaps in segmentation, workload identity, lateral communication, and egress control. Enforcing microsegmentation, workload isolation, and strict egress governance could have prevented unauthorized movement and data exfiltration within the cloud environment.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Potentially blocked initial exploitation attempts.
Control: Zero Trust Segmentation
Mitigation: May have constrained privilege escalation paths.
Control: East-West Traffic Security
Mitigation: Likely detected or blocked unauthorized lateral movement.
Control: Multicloud Visibility & Control
Mitigation: Could have detected and restricted malicious outbound C2 communications.
Control: Egress Security & Policy Enforcement
Mitigation: Would prevent or alert on unauthorized data exfiltration attempts.
Segmentation and policy controls may have reduced attack scope, but business impact could still occur if detection or isolation was delayed.
Impact at a Glance
Affected Business Functions
- IT Help Desk Operations
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive customer support data due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy inline IPS at cloud ingress to block exploitation of known vulnerabilities in exposed applications.
- • Enforce Zero Trust segmentation and least privilege policies to restrict movement after initial compromise.
- • Apply strict east-west traffic monitoring to detect and prevent lateral movement between workloads.
- • Implement advanced egress controls, including FQDN filtering and outbound policy enforcement, to limit C2 and data exfiltration.
- • Enhance continuous visibility and anomaly response for rapid detection and mitigation of unauthorized or destructive activities.
