On August 21, 2024, SolarWinds published a security advisory for Web Help Desk (WHD), the company's ticketing and IT-asset-management product widely deployed in U.S. federal civilian agencies, state and local governments, and Fortune 500 helpdesks. The flaw, CVE-2024-28987, was a hardcoded backend credential — username helpdeskIntegrationUser, password dev-C4F8025E7 — left in production from at least version 12.8.3 forward. Carrying a CVSS v3.1 base score of 9.1, the vulnerability allowed unauthenticated remote attackers to read, modify, and delete every helpdesk ticket and asset record in the system. Two months later, on October 15, 2024, CISA added CVE-2024-28987 to the Known Exploited Vulnerabilities (KEV) catalog, triggering BOD 22-01 remediation timelines and confirming that federal agencies had been actively breached through the flaw.
What exactly is the vulnerability?
WHD ships a "tech integration" account intended to let internal SolarWinds services call back into the WHD REST API. In versions through 12.8.3 Hotfix 1, the credentials for this account were compiled into the application JAR files and bound to the same TCP listener as the customer-facing UI on port 8081/8443. Researcher Zach Hanley of Horizon3.ai discovered the flaw and disclosed it on May 22, 2024; SolarWinds released Hotfix 2 on August 21. The credential was static — no hash, no rotation, identical across every WHD installation worldwide. Anyone with HTTPS reachability to a vulnerable WHD instance could authenticate to the /helpdesk/WebObjects/Helpdesk.woa/ra/... REST endpoints and pull every ticket, attachment, password reset, and asset record stored there.
Why is this dangerous beyond data theft?
Helpdesk ticketing is the unsexy underbelly of every IT shop. Tickets contain plaintext passwords (users send them to reset accounts), VPN configurations, private-key material attached for "diagnosis", internal hostnames, vulnerability scan output, BYOD device IMEIs, payroll system error messages, and the names and contact details of every privileged operator. A WHD compromise hands an attacker a treasure map of the target environment without ever touching the directory service. Horizon3's proof-of-concept (released August 23, 2024) showed reading ticket bodies including subject Re: New BeyondTrust admin password, fingerprinting the next move. By the time CISA added the CVE to KEV in October, Horizon3 reported observing scanning and exploitation traffic from multiple Tor and DigitalOcean egress nodes against IPs registered to U.S. federal civilian and education-sector ranges.
How long was it exploited and against whom?
CISA's KEV entry says exploitation was confirmed but does not name victims. The Computing.co.uk story citing CISA officials (October 16, 2024) referenced "multiple federal agencies" and "state and local government entities." BleepingComputer reported on October 17 that a federal civilian agency had been confirmed breached via CVE-2024-28987 in late September. SolarWinds' own September 9, 2024 update conceded that "a small number of customers" had been exploited. Censys scans on August 28 found 827 internet-exposed WHD instances; by October 20 that number had only dropped to 619, meaning roughly a quarter of vulnerable internet-facing deployments remained unpatched eight weeks after the advisory. Federal civilian agencies were given until November 5, 2024 under BOD 22-01 to patch or remove the product.
Has this happened before with SolarWinds?
This is not the same as the 2020 Orion supply-chain attack. CVE-2024-28987 is a code-defect vulnerability — a credential left in production — not a software-supply-chain compromise. But it sits inside a four-year pattern: CVE-2024-28986 (a separate WHD Java deserialisation RCE, KEV'd August 15, 2024), CVE-2024-29849 (Veeam-adjacent SolarWinds-affected auth bypass), and the still-unresolved questions raised by the Orion intrusion. SolarWinds' SEC settlement of October 22, 2024 ($26 million, no admission) and the dismissal of most fraud claims against CISO Tim Brown on July 18, 2024 sit in the background. The pattern matters because it shapes how defenders should treat any SolarWinds product release until a sustained, public security-engineering improvement is demonstrated.
What does the code defect look like?
Horizon3's writeup describes the credential as embedded in a Web Objects helper class that initialises the integration user on application startup. Modern static analysis would flag this in seconds — TruffleHog, Semgrep's generic.secrets.security.detected-username-password rule, and CodeQL's java/hardcoded-credentials query all catch this pattern. The defect therefore reads as a process failure: a developer-test credential that should have been replaced with environment-variable injection before GA, but was not.
# Detection: HTTP requests authenticating as helpdeskIntegrationUser
# Suricata rule (community-style)
alert http any any -> any any (\
msg:"SolarWinds WHD CVE-2024-28987 default integration user";\
content:"Authorization|3a 20|Basic ";\
content:"aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6"; # base64('helpdeskIntegrationUser:')
http_header;\
sid:2024028987; rev:1; classtype:attempted-admin;)
What should defenders do this quarter?
Four steps. First, patch every WHD instance to 12.8.3 Hotfix 2 or higher and rotate every credential ever stored in a WHD ticket — VPN passwords, service-account passwords, MFA recovery codes, anything that could plausibly have been pasted into a ticket body. Second, audit egress to the WHD management UI for the last 12 months for traffic with Basic-auth headers using the helpdeskIntegrationUser value (base64 aGVscGRlc2tJbnRlZ3JhdGlvblVzZXI6). Third, never expose helpdesk ticketing to the public internet — put WHD behind an SSO-enforced VPN or ZTNA proxy. Fourth, build a hardcoded-credential SAST gate into every supplier's CI/CD if they will sell into your environment; ask them to attest annually that their build pipeline runs at minimum TruffleHog + Semgrep on every PR.
How Safeguard Helps
Safeguard ingests every internal and supplier-built application as an SBOM and runs continuous credential-scanning against component artefacts, so a hardcoded-credential pattern like helpdeskIntegrationUser:dev-C4F8025E7 is caught before it leaves the build pipeline and the moment it appears in any vendor product you consume. Griffin AI cross-references CISA KEV additions in near-real-time and raises a critical finding the moment CVE-2024-28987-class entries land, with reachability analysis showing which of your WHD instances are internet-exposed versus segmented. TPRM scoring tracks SolarWinds and every other ticketing/helpdesk vendor against the CISA Secure by Design pledge, downgrading suppliers who miss BOD 22-01 SLAs. Policy gates block new deployments of any helpdesk application below a minimum-patch baseline, and ingest VEX statements from vendors to suppress non-exploitable findings — giving your incident responders a clean, prioritised view during the next KEV-grade disclosure.