CVE-2024-28999
Published: 04 June 2024
Summary
CVE-2024-28999 is a medium-severity Race Condition (CWE-362) vulnerability in Solarwinds Solarwinds Platform. Its CVSS base score is 6.4 (Medium).
Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The SolarWinds Platform is affected by a race condition vulnerability, tracked as CVE-2024-28999 and assigned CWE-362, that impacts the web console. The issue carries a CVSS 3.1 score of 6.4 with an attack vector of adjacent network, high attack complexity, no required privileges or user interaction, and impacts described as high on confidentiality with limited effects on integrity and availability.
An attacker positioned on an adjacent network can exploit the race condition to achieve unauthorized access or manipulation of console resources. Because the flaw requires no authentication, an adversary could potentially read sensitive data or perform limited modifications and disruptions without user assistance.
SolarWinds has published mitigation guidance in the SolarWinds Platform 2024.2 release notes and the associated security advisory on its trust center, directing customers to apply the referenced platform update.
The EPSS score remains flat at 0.0648 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-26061
Vulnerability details
The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.
Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.