20250108002 (#1150)

* 20250108002 * Update and rename 20250108002 Changed Title and updated Overview to reflect this is newly developed information, and not re-advising on the same CVE. Included link to original advisory in Overview. --------- Co-authored-by: JadonWill <117053393+JadonWill@users.noreply.github.com>
wagov · Jan 8, 2025 · 7279c92 · 7279c92
1 parent c7cb31a
commit 7279c92
Showing 1 changed file with 25 additions and 0 deletions.
diff --git a/docs/advisories/20250108002-SolarWinds-WHD-Scanner-And-Exploiter.md b/docs/advisories/20250108002-SolarWinds-WHD-Scanner-And-Exploiter.md
@@ -0,0 +1,25 @@
+# SolarWinds Web Help Desk Vulnerability Scanner and Exploiter - 20250108002 
+
+## Overview
+
+Since publishing [Advisory 20241001001](https://soc.cyber.wa.gov.au/advisories/20241001001-SolarWinds-Critical-Vulnerability/), the WA SOC has been notified of a new Python-based exploit and scanner for SolarWinds Web Help Desk. This tool tests if the target is vulnerable to CVE-2024-28987 by attempting to access the /OrionTickets endpoint, and if so, to then retrieve and save all helpdesk tickets from the vulnerable endpoint.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s) | CVE                                                                                                                                      | CVSS         | Severity                                                       |
+| ------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------- |
+|  SolarWinds Web Help Desk        | Version WHD 12.8.3 HF1 and earlier   | [CVE-2024-28987](https://nvd.nist.gov/vuln/detail/CVE-2024-28987)                                    | 9.1          | **Critical**                                   |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- SolarWinds: <https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987>
+
+## Additional References
+
+- Dark Web Informer: <https://darkwebinformer.com/cve-2024-28987-scanner-exploiter-solarwinds-web-help-desk/>