CVE-2024-28986

CVE Database · CVE-2024-28986

CVE-2024-28986

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

84.45%

Published

Aug 13, 2024

Modified

Oct 27, 2025

CISA Known Exploited Vulnerability

Added: 2024-08-15 · Due: 2024-09-05

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (2)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Affected Products (2)

solarwinds · web_help_deskvulnerable

References (3)

https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-1

Broken LinkVendor Advisory

https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28986

Vendor Advisory

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28986

US Government Resource

KEV Catalog EPSS Scores Vendors All CVEs