- The newest Echo Show 8 just hit its lowest price ever for Black Friday
- 기술 기업 노리는 북한의 가짜 IT 인력 캠페인··· 데이터 탈취도 주의해야
- 구글 클라우드, 구글 워크스페이스용 제미나이 사이드 패널에 한국어 지원 추가
- The best MagSafe accessories of 2024: Expert tested and reviewed
- Threads will show you more from accounts you follow now - like Bluesky already does
SolarWinds Urges Upgrade After Revealing Critical RCE Bug
IT management software provider SolarWinds has urged customers to immediately patch a critical vulnerability in its Web Help Desk platform.
CVE-2024-28986 is a Java deserialization remote code execution (RCE) bug discovered by Inmarsat Government researchers, according to an advisory published yesterday.
“SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine,” it explained.
“While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.”
The vendor said that all versions of Web Help Desk (WHD) should be upgraded to WHD 12.8.3, and then the hotfix should be installed.
CVE-2024-28986 has been given a CVSS v3 score of 9.8, illustrating the criticality of patching the issue immediately. SolarWinds has published instructions on how to upgrade to WHD 12.8.3 and install the hotfix, as well as how to uninstall it if required.
Read more on SolarWinds: Three More Vulnerabilities Found in SolarWinds Products
The firm also suggested that customers backup several files before applying the hotfix, presumably in case something goes wrong during the process.
In July a US judge dismissed most of the charges brought by the SEC against SolarWinds for a 2021 security breach which impacted thousands of customers.
He ruled that claims that SolarWinds and CISO Timothy Brown concealed the firm’s security weaknesses after the incident, thereby defrauding their investors, were based on “hindsight and speculation.”
The judge also dismissed SEC claims that the firm effectively hid cybersecurity weaknesses in its products before the attack.
However, he did rule that there are legitimate concerns about the failure of security controls embedded in SolarWinds products.