CISA has added three flaws to its ‘Known Exploited Vulnerabilities’ (KEV) catalog, among which is a critical hardcoded credentials flaw in SolarWinds Web Help Desk (WHD) that the vendor fixed in late August 2024.

SolarWinds Web Help Desk is an IT help desk suite used by 300,000 customers worldwide, including government agencies, large corporations, and healthcare organizations.

The SolarWinds flaw is tracked as CVE-2024-28987 and is caused by hardcoded credentials, a username of “helpdeskIntegrationUser” and password of “dev-C4F8025E7”. Using these credentials, remote unauthenticated attackers could potentially access WHD endpoints and access or modify data without restriction.

SolarWinds issued a hotfix four days after it received a report from Horizon3.ai researcher Zach Hanley, who discovered it, urging system admins to move to WHD 12.8.3 Hotfix 2 or later.

CISA has now added the flaw in KEV, indicating that it is being leveraged in attacks in the wild.

The U.S. government agency did not share many details about the malicious activity, and set the ransomware exploitation status to unknown.

Federal agencies and government organizations in the U.S. are expected to update to a safe version or stop using the product by November 5, 2024.

Given the active exploitation status of CVE-2024-28987, it is recommended that system administrators take the appropriate measures to secure WDH endpoints sooner than the set deadline.

The other two flaws are related to Windows and Mozilla Firefox, with both vulnerabilities already known to be exploited in attacks. CISA also requires federal agencies to patch these flaws by November 5.

The Windows flaw is a Kernel TOCTOU race condition tracked as CVE-2024-30088, which was discovered to be actively exploited by Trend Micro. The cybersecurity firm attributed the malicious activity to OilRig (APT34), who leveraged the flaw to elevate their privileges to the SYSTEM level on compromised devices.

Microsoft addressed the vulnerability in its June 2024 Tuesday Patch pack, but it is unclear when the active exploitation started.

The Mozilla Firefox CVE-2024-9680 flaw was discovered by ESET researcher Damien Schaeffer on October 8, 2024, and fixed by Mozilla 25 hours later.

Mozilla says that ESET provided an attack chain that could remotely execute code on a user’s device through the rendering of CSS animation timelines in Firefox.

Although ESET is still analyzing the attack they observed, a spokesperson told BleepingComputer that the malicious activity appears to originate from Russia and was likely used for espionage operations.