While no active exploitation has been reported yet, SolarWinds is recommending swift patching to stay ahead of the adversaries. Zach Hanley, the vulnerability researcher credited for the discovery of the vulnerability has promised further details.

“Reported a critical vulnerability to SolarWinds on Friday after digging into the recent CISA KEV CVE-2024-28986 for WebHelpDesk, amazed they’ve already shipped a patch 4 days later!” Hanley wrote on X. “Will release some details next month.”

Additional Fixes

Along with the fix for the WHD hardcoded credential vulnerability, the hotfix, which refers to a small, targeted software update designed to address specific vulnerabilities, also included an upgraded version of a recent hotfix addressing CVE-2024-28986, a 9.8 CVSS, remote code execution vulnerability affecting the same product.