SolarWinds on Tuesday released a hotfix - again - for a critical, 9.8-severity flaw in its Web Help Desk IT ticketing software that could allow a remote, unauthenticated attacker to run commands on a host machine.

This is the third time the vendor has tried to fix this flaw, an unauthenticated, AJAXproxy deserialization remote code execution (RCE) bug in its Web Help Desk ticketing and asset management software.

"This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986," SolarWinds noted in its Tuesday release. Criminals exploited both of those earlier vulnerabilities.

It all started in mid-August 2024, when the software maker released a hotfix for CVE-2024-28986, a critical (9.8 CVSS) deserialization RCE vulnerability in Web Help Desk. C

See Full Page