CVE-2024-28999

MEDIUM

SolarWinds Platform < 2024.2 - Race Condition in Web Console

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2024-28999. PoCs published by Elhussain Fathy, HussainFathy.

AI-analyzed exploit summary This exploit leverages a race condition in SolarWinds Platform 2024.1 SR1 to bypass authentication by concurrently testing multiple passwords with pre-established sessions. It uses asynchronous requests to exploit the vulnerability.

Description

The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.

Exploits (2)

exploitdb WORKING POC

by Elhussain Fathy · pythonwebappsmultiple

https://www.exploit-db.com/exploits/52055

View Code ZIP pw:eip

This exploit leverages a race condition in SolarWinds Platform 2024.1 SR1 to bypass authentication by concurrently testing multiple passwords with pre-established sessions. It uses asynchronous requests to exploit the vulnerability.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Racy

Target: SolarWinds Platform 2024.1 SR1 and previous versions

No auth needed

Prerequisites: Network access to the target SolarWinds instance · A list of passwords to test

MITRE ATT&CK

T1110.001 - Password Guessing T1557 - Adversary-in-the-Middle

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 3 stars

by HussainFathy · poc

https://github.com/HussainFathy/CVE-2024-28999

View Code ZIP pw:eip

This exploit leverages a race condition vulnerability in the SolarWinds Platform login page (CVE-2024-28999) to brute-force credentials by sending concurrent authentication requests with different passwords. It uses asyncio to exploit the race condition, potentially bypassing authentication limits.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Racy

Target: SolarWinds Platform 2024.1 SR 1 and previous versions

No auth needed

Prerequisites: Network access to the SolarWinds Platform login page · A list of passwords to test

MITRE ATT&CK

T1110.001 - Password Guessing

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28999

Release Notes release-notes

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2024-2_release_notes.htm

Scores

CVSS v3 6.4

EPSS 0.1391

EPSS Percentile 96.1%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-362

Status published

Products (1)

solarwinds/solarwinds_platform < 2024.2

Published Jun 04, 2024

Tracked Since Feb 18, 2026