The U.S.CISA warned of a critical security vulnerability affecting SolarWinds Web Help Desk.
This vulnerability, tracked as CVE-2024-28986 with a CVSS 9.8, has been added to CISA’s Known Exploited Vulnerabilities catalog due to evidence of active exploitation.
The flaw, a Java deserialization issue, could allow attackers to execute arbitrary commands on affected systems. Though initially reported as potentially exploitable without authentication, SolarWinds’ engineers were able to reproduce the issue only after authentication. However, the critical severity and evidence of active attacks emphasize the seriousness of this vulnerability.
Federal agencies have been given a deadline of September 5, 2024, to patch their systems and mitigate the risk.
