CVE DATABASE / CVE-2024-28986
CVE-2024-28986
SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability
Confirmed exploited in the wild. Added 2024-08-15.
Federal remediation due 2024-09-05.
Required action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Summary
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine.While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
References
- https://support.solarwinds.com/SuccessCenter/s/article/WHD-12-8-3-Hotfix-1
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28986
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-28986
Data: NIST NVD + CISA KEV. NVD last modified 2025-10-27. Always verify against the vendor advisory before acting.