CVE-2024-28988

CRITICAL

SolarWinds Web Help Desk - Unauthenticated Remote Code Execution via Java Deserialization

Title source: llm

Description

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability was found by the ZDI team after researching a previous vulnerability and providing this report. The ZDI team was able to discover an unauthenticated attack during their research. We recommend all Web Help Desk customers apply the patch, which is now available. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

References (2)

Core 2

Core References

Broken Link

https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-3

Patch, Vendor Advisory

https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28988

Scores

CVSS v3 9.8

EPSS 0.0695

EPSS Percentile 91.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (2)

solarwinds/web_help_desk 12.8.3 (3 CPE variants)

solarwinds/web_help_desk < 12.8.2

Published Sep 01, 2025

Tracked Since Feb 18, 2026