Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
CriticalCISA KEVExploited in the wildPublic exploit

SolarWinds Web Help Desk Hardcoded Credential Vulnerability

IdentifiersCVE-2024-28987CWE-798· Use of Hard-coded Credentials

CVE-2024-28987 affects SolarWinds Web Help Desk (WHD). According to the provided content, the flaw is a hardcoded credential vulnerability in WHD that allows a remote unauthenticated user to access internal functionality and modify data. The issue is described in multiple references as a critical hardcoded login credential bug in SolarWinds Web Help Desk.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to use the embedded credential to gain access to internal or restricted functionality in SolarWinds Web Help Desk and modify application data. Because the issue is remotely reachable and does not require prior authentication, it can provide an initial access path into exposed WHD deployments.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, restrict network exposure of SolarWinds Web Help Desk, especially public internet access, and limit access to trusted administrative networks or VPN users only. Monitor WHD for unauthorized access and unexpected data modification, rotate any credentials associated with the application if applicable, and review logs for signs of exploitation. Because the vulnerability is unauthenticated and remotely exploitable, reducing exposure is the primary interim mitigation.

Remediation

Patch, then assume compromise.

Apply the SolarWinds vendor fix for CVE-2024-28987 in Web Help Desk. The provided content states SolarWinds fixed this vulnerability in 2024. Organizations should upgrade to a patched WHD release identified by SolarWinds for CVE-2024-28987 and verify that no vulnerable versions remain exposed.
PUBLIC EXPLOITS

Exploits

2 valid exploits after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).

VALID 2 / 3 TOTALView more in app
CVE-2024-28987MaturityPoCVerified exploit

This repository contains a proof-of-concept Python exploit for CVE-2024-28987, a hardcoded credential vulnerability in SolarWinds Web Help Desk. The main script, 'cve-2024-28987.py', uses a hardcoded HTTP Basic Authorization header to authenticate to the SolarWinds Web Help Desk API. It retrieves up to 25 of the most recent help desk tickets (due to an API limitation), fetches full details for each ticket, and saves the results in a structured directory format. The script also analyzes ticket IDs to estimate the total number of tickets in the system. Output is organized into JSON files for summaries and detailed ticket data. The exploit is network-based, targeting the API endpoints '/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets' and '/helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets/{ticket_id}' on the victim system. The repository includes a README with usage instructions and a LICENSE file. The exploit does not provide a shell or code execution, but enables unauthorized access to sensitive ticket data via the exposed API.

alecclydeDisclosed Apr 21, 2025pythonnetwork
CVE-2024-28987MaturityPoCVerified exploit

This repository contains a proof-of-concept exploit for CVE-2024-28987, a hardcoded credential vulnerability in SolarWinds Web Help Desk. The main file, CVE-2024-28987.py, is a Python script that takes a target URL as input and attempts to retrieve helpdesk tickets from the target by sending an HTTP GET request to the /helpdesk/WebObjects/Helpdesk.woa/ra/OrionTickets endpoint. The request uses a hardcoded HTTP Basic Authorization header, exploiting the vulnerability to gain unauthorized access to ticket data. The script prints the retrieved tickets if successful, or indicates if the target is likely not vulnerable. The repository also includes a README.md with usage instructions and background information. No additional payloads or post-exploitation actions are present; the exploit is limited to reading ticket data. The attack vector is network-based, requiring access to the target's web interface.

horizon3aiDisclosed Sep 24, 2024pythonnetwork
EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
SolarWindsWeb Help Deskapplication
SolarWindsWebhelpdeskapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.