20250108002 (#1150)

DGOV-Bryce · JadonWill · web-flow · commit 7279c9245e5c · 2025-01-08T11:16:42.000+08:00
* 20250108002

* Update and rename 20250108002

Changed Title and updated Overview to reflect this is newly developed information, and not re-advising on the same CVE. Included link to original advisory in Overview.

---------

Co-authored-by: JadonWill &lt;117053393+JadonWill@users.noreply.github.com&gt;
diff --git a/docs/advisories/20250108002-SolarWinds-WHD-Scanner-And-Exploiter.md b/docs/advisories/20250108002-SolarWinds-WHD-Scanner-And-Exploiter.md
@@ -0,0 +1,25 @@
+# SolarWinds Web Help Desk Vulnerability Scanner and Exploiter - 20250108002 
+
+## Overview
+
+Since publishing [Advisory 20241001001](https://soc.cyber.wa.gov.au/advisories/20241001001-SolarWinds-Critical-Vulnerability/), the WA SOC has been notified of a new Python-based exploit and scanner for SolarWinds Web Help Desk. This tool tests if the target is vulnerable to CVE-2024-28987 by attempting to access the /OrionTickets endpoint, and if so, to then retrieve and save all helpdesk tickets from the vulnerable endpoint.
+
+## What is vulnerable?
+
+| Product(s) Affected | Version(s) | CVE                                                                                                                                      | CVSS         | Severity                                                       |
+| ------------------- | ---------- | ---------------------------------------------------------------------------------------------------------------------------------------- | ------------ | -------------------------------------------------------------- |
+|  SolarWinds Web Help Desk        | Version WHD 12.8.3 HF1 and earlier   | [CVE-2024-28987](https://nvd.nist.gov/vuln/detail/CVE-2024-28987)                                    | 9.1          | **Critical**                                   |
+
+## What has been observed?
+
+There is no evidence of exploitation affecting Western Australian Government networks at the time of publishing.
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *48 hours...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- SolarWinds: <https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987>
+
+## Additional References
+
+- Dark Web Informer: <https://darkwebinformer.com/cve-2024-28987-scanner-exploiter-solarwinds-web-help-desk/>
