SolarWinds urges an immediate update to fix a critical Web Help Desk vulnerability

SolarWinds has released patches to fix a critical security vulnerability in its Web Help Desk software, identified as CVE-2024-28986. This flaw involves a Java deserialization issue that could permit an attacker to run commands on a compromised host machine. The company has issued a hotfix and urges users to install it immediately.

Initial reports indicated that the vulnerability could be exploited without authentication. However, SolarWinds' extensive testing has not confirmed this claim.

The vulnerability affects all versions of Web Help Desk up to and including version 12.8.3, with the issue resolved in version 12.8.3 HF 1. SolarWinds advises all WHD customers to upgrade to the latest version, recommends to revoke secrets, passwords, and tokens configured in PAN-OS firewalls post-upgrade and create backup copies of original files before applying the hotfix to avoid potential issues.