CISA has added SolarWinds Web Help Desk vulnerability CVE-2024-28986 to its Known Exploited Vulnerabilities catalog, confirming the bug is being used in real-world attacks. The flaw is rated critical and affects SolarWinds Web Help Desk, a ticketing and IT service management product used across enterprises and public-sector organizations.
According to CISA and SolarWinds, CVE-2024-28986 is a server-side template injection issue that can lead to remote code execution. Public reporting says the bug can be exploited by an unauthenticated attacker, making exposed instances a high-priority patching target. SolarWinds published an advisory and released fixes on August 13, and CISA added the issue to KEV on August 14.
The KEV listing matters because it signals more than theoretical risk: CISA only adds vulnerabilities that have evidence of active exploitation. For federal civilian agencies, KEV inclusion usually triggers accelerated remediation deadlines. For everyone else, it is a strong indicator that exploit activity may already be spreading beyond targeted attacks into broader scanning and opportunistic compromise.
Organizations running Web Help Desk should apply SolarWinds’ fixes immediately, review whether any instances are internet-accessible, and investigate for signs of compromise before and after patching. Defenders should look for suspicious web requests, unexpected child processes spawned by the application, unfamiliar outbound connections, and possible persistence mechanisms such as web shells or scheduled tasks.
The risk is significant because help desk platforms often store support tickets, attachments, asset details, internal hostnames, and workflow data that can help attackers move deeper into a network. Even systems reachable only through a VPN or internal segment should not be treated as low-risk if they remain unpatched.
No public victim list has been tied to this flaw so far, but CISA’s action makes the priority clear: if Web Help Desk is in your environment, patch it and hunt for compromise now.
