CVE-2024-28987

CRITICAL KEV NUCLEI

SolarWinds Web Help Desk - Hardcoded Credential

Title source: nuclei

Exploitation Summary

CVE-2024-28987 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added October 15, 2024. EIP tracks 5 public exploits from researchers including gh-ost00, horizon3ai, alecclyde, including a Metasploit module auxiliary/gather/solarwinds_webhelpdesk_backdoor. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a scanner for CVE-2024-28987, which exploits hardcoded credentials in SolarWinds Web Help Desk. The script checks for the presence of the vulnerability by attempting to authenticate with the default credentials.

Description

The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.

Exploits (5)

nomisec SCANNER 12 stars

by gh-ost00 · remote

https://github.com/gh-ost00/CVE-2024-28987-POC

View Code ZIP pw:eip

This repository contains a scanner for CVE-2024-28987, which exploits hardcoded credentials in SolarWinds Web Help Desk. The script checks for the presence of the vulnerability by attempting to authenticate with the default credentials.

Classification

Scanner 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: SolarWinds Web Help Desk (versions prior to 12.8.3 HF2)

No auth needed

Prerequisites: List of target URLs

MITRE ATT&CK

T1110.001 - Password Guessing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 7 stars

by horizon3ai · remote

https://github.com/horizon3ai/CVE-2024-28987

View Code ZIP pw:eip

This PoC exploits CVE-2024-28987, a hardcoded credential vulnerability in SolarWinds Web Help Desk, by sending an authenticated request to retrieve helpdesk tickets. The exploit uses a known base64-encoded credential to bypass authentication.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: SolarWinds Web Help Desk

No auth needed

Prerequisites: Network access to the target SolarWinds Web Help Desk instance

MITRE ATT&CK

T1110.001 - Password Guessing T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by alecclyde · remote

https://github.com/alecclyde/CVE-2024-28987

View Code ZIP pw:eip

This PoC exploits CVE-2024-28987, a hardcoded credential vulnerability in SolarWinds Web Help Desk, to retrieve ticket data via unauthorized API access. It fetches up to 25 recent tickets and their details, then analyzes ticket IDs to estimate the total number of tickets in the system.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: SolarWinds Web Help Desk (version not specified)

No auth needed

Prerequisites: Network access to the target SolarWinds Web Help Desk instance

MITRE ATT&CK

T1110.001 - Password Guessing T1552.001 - Credentials In Files

devstral-2 · analyzed Feb 16, 2026 Full analysis →

inthewild SCANNER

poc

https://github.com/fa-rrel/cve-2024-28987-poc

View Code ZIP pw:eip

The repository contains a Python script that scans for the presence of hardcoded credentials in SolarWinds Web Help Desk (CVE-2024-28987). It checks for a specific endpoint and verifies if the default credentials 'helpdeskIntegrationUser:dev-C4F8025E7' are valid.

Classification

Scanner 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: SolarWinds Web Help Desk (versions prior to 12.8.3 HF2)

No auth needed

Prerequisites: list of target URLs in a file

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 23, 2026 Full analysis →

metasploit WORKING POC

by Michael Heinzl, Zach Hanley · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/solarwinds_webhelpdesk_backdoor.rb

View Code ZIP pw:eip

This Metasploit module exploits a hardcoded credential vulnerability (CVE-2024-28987) in SolarWinds Web Help Desk to authenticate and retrieve ticket data. It uses a backdoor account with known credentials to access the system.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: SolarWinds Web Help Desk <= v12.8.3

No auth needed

Prerequisites: Network access to the target system · SolarWinds Web Help Desk service running on port 8443

MITRE ATT&CK

T1110.001 - Password Guessing T1078 - Valid Accounts

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

SolarWinds Web Help Desk - Hardcoded Credential

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

Shodan: http.favicon.hash:1895809524

References (4)

Core 4

Core References

Release Notes

https://support.solarwinds.com/SuccessCenter/s/article/SolarWinds-Web-Help-Desk-12-8-3-Hotfix-2

Vendor Advisory

https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987

Press/Media Coverage, Third Party Advisory

https://www.theregister.com/2024/08/22/hardcoded_credentials_bug_solarwinds_whd/

US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28987

Scores

CVSS v3 9.1

EPSS 0.9429

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation active

Automatable yes

Technical Impact total

Details

CISA KEV 2024-10-15

VulnCheck KEV 2024-10-15

InTheWild.io 2024-10-15

ENISA EUVD EUVD-2024-26049

CWE

CWE-798

Status published

Products (2)

solarwinds/web_help_desk 12.8.3 (2 CPE variants)

solarwinds/web_help_desk < 12.8.3

Published Aug 21, 2024

KEV Added Oct 15, 2024

Tracked Since Feb 18, 2026