The Cybersecurity and Infrastructure Security Agency added a critical hardcoded credentials flaw in SolarWinds Web Help Desk to its known exploited vulnerabilities catalog on Tuesday, marking the second actively exploited CVE in the same product since August.

The vulnerability, listed as CVE-2024-28987, allows a remote, unauthenticated attacker to access internal functionality and potentially modify data. The software defect has a CVSS score of 9.1.

SolarWinds previously said the vulnerability impacted customers using Web Help Desk 12.8.3 HF1 and all prior versions, in an August security advisory. The company told customers to upgrade to the fixed version at that time. 

Researchers at Horizon3 discovered the hardcoded credentials vulnerability while doing research on a Java deserialization remote code execution vulnerability, listed as CVE-2024-28986, which was disclosed in August. 

The Java deserialization vulnerability, which has a CVSS score of 9.8, allows attackers to potentially run commands on a host machine. 

The hardcoded credentials flaw allows unauthenticated attackers to remotely read and modify help desk ticket details, Horizon3 researchers said in a September blog post. 

The information contained in these help desk tickets often includes sensitive data, such as shared service account credentials and passwords linked to reset requests, according Horizon3. 

It is not immediately clear what specific threat activity led CISA to add CVE-2024-28987 to the KEV catalog, however the listing requires federal civilian executive branch agencies to take mitigation steps to protect their systems from exploitation. 

In late September, Horizon3 researchers reported almost 830 public-facing instances of SolarWinds Help Desk.