diff --git a/docs/advisories/20250108002-SolarWinds-WHD-Scanner-And-Exploiter.md b/docs/advisories/20250108002-SolarWinds-WHD-Scanner-And-Exploiter.md new file mode 100644 index 00000000..81dd1945 --- /dev/null +++ b/docs/advisories/20250108002-SolarWinds-WHD-Scanner-And-Exploiter.md @@ -0,0 +1,25 @@ +# SolarWinds Web Help Desk Vulnerability Scanner and Exploiter - 20250108002 + +## Overview + +Since publishing [Advisory 20241001001](https://soc.cyber.wa.gov.au/advisories/20241001001-SolarWinds-Critical-Vulnerability/), the WA SOC has been notified of a new Python-based exploit and scanner for SolarWinds Web Help Desk. This tool tests if the target is vulnerable to CVE-2024-28987 by attempting to access the /OrionTickets endpoint, and if so, to then retrieve and save all helpdesk tickets from the vulnerable endpoint. + +## What is vulnerable? + +| Product(s) Affected | Version(s) | CVE | CVSS | Severity | +| ------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------- | +| SolarWinds Web Help Desk | Version WHD 12.8.3 HF1 and earlier | [CVE-2024-28987](https://nvd.nist.gov/vuln/detail/CVE-2024-28987) | 9.1 | **Critical** | + +## What has been observed? + +There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing. + +## Recommendation + +The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)): + +- SolarWinds: + +## Additional References + +- Dark Web Informer: