SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.
The vulnerability stems from unsafe Java deserialization (CWE-502) — the application processes untrusted input without proper validation, enabling embedding of malicious payloads. Successful exploitation allows an attacker to execute commands directly on the host machine. The vulnerability was originally reported as not requiring authentication, however SolarWinds was unable to reproduce the exploit without authentication after exhaustive testing — the authentication requirement remains ambiguous.
An attacker can gain full control over the server by executing arbitrary system commands remotely (RCE), which threatens the confidentiality, integrity, and availability of the entire system.
The patch provided by SolarWinds must be applied immediately — WHD 12.8.3 Hotfix 1, available at the address indicated in the vendor's references (support.solarwinds.com). SolarWinds recommends applying the update to all Web Help Desk product users.
SolarWinds Web Help Desk — versions indicated in the vendor's references (patch available in version WHD 12.8.3 Hotfix 1)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSolarwinds Web Help Desk
APPSolarwinds12.8.3≤ 12.8.2
CISA KEV — detailsi
- Vendori
- SolarWinds
- Producti
- Web Help Desk
- Added to KEVi
- August 15, 2024
- Remediation deadline (US Federal)i
- September 5, 2024(overdue)
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution.
Related vulnerabilities
RCE przez deserializację w SolarWinds Web Help Desk — bez uwierzytelnienia
RCE przez deserializację AjaxProxy w SolarWinds Web Help Desk (nieuwierzytelniony)
SolarWinds Web Help Desk – hardcoded credential umożliwia zdalny dostęp
SolarWinds Web Help Desk — pominięcie uwierzytelnienia (Auth Bypass)
SolarWinds Web Help Desk — zdalne wykonanie kodu przez niebezpieczną deserializację