CISA warned on Thursday that attackers are exploiting a recently patched critical vulnerability in SolarWinds’ Web Help Desk solution for customer support.

Web Help Desk (WHD) is IT help desk software widely used by large corporations, government agencies, and healthcare and education organizations worldwide to centralize, automate, and streamline help desk management tasks.

Tracked as CVE-2024-28986, this Java deserialization security flaw allows threat actors to gain remote code execution on vulnerable servers and run commands on the host machine following successful exploitation.

SolarWinds issued a hotfix for the vulnerability on Wednesday, a day before CISA’s warning. However, the company did not disclose any information about in-the-wild exploitation, although it recommended all administrators apply the fix to vulnerable devices.

“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available,” SolarWinds said.

“WHD 12.8.3 Hotfix 1 should not be applied if SAML Single Sign-On (SSO) is utilized. A new patch will be available shortly to address this problem.”

SolarWinds also published a support article with detailed instructions on applying and removing the hotfix, warning that admins must upgrade vulnerable servers to Web Help Desk 12.8.3.1813 before installing the hotfix.

The company recommends creating backups of the original files before replacing them during the installation process to avoid potential issues if the hotfix deployment fails or the hotfix isn’t applied correctly.

CISA added CVE-2024-28986 to its ts KEV catalog on Thursday, mandating federal agencies to patch their WHD servers within three weeks, until September 5, as required by the Binding Operational Directive (BOD) 22-01.

Earlier this year, SolarWinds also patched over a dozen critical remote code execution (RCE) flaws in its Access Rights Manager (ARM) software, eight in July and five in February.

In June, cybersecurity firm GreyNoise warned that threat actors were already exploiting a SolarWinds Serv-U path-traversal vulnerability, just two weeks after SolarWinds released a hotfix and days after proof-of-concept (PoC) exploits were published online.

SolarWinds says that the company’s IT management products are being used by more than 300,000 customers worldwide.