Cyber Resilience

CVE-2024-28999

Medium

Published: 04 June 2024

Published
04 June 2024
Modified
26 February 2025
KEV Added
Patch
CVSS Score v3.1 6.4 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS Score 0.0648 91.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-28999 is a medium-severity Race Condition (CWE-362) vulnerability in Solarwinds Solarwinds Platform. Its CVSS base score is 6.4 (Medium).

Operationally, ranked in the top 8.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The SolarWinds Platform is affected by a race condition vulnerability, tracked as CVE-2024-28999 and assigned CWE-362, that impacts the web console. The issue carries a CVSS 3.1 score of 6.4 with an attack vector of adjacent network, high attack complexity, no required privileges or user interaction, and impacts described as high on confidentiality with limited effects on integrity and availability.

An attacker positioned on an adjacent network can exploit the race condition to achieve unauthorized access or manipulation of console resources. Because the flaw requires no authentication, an adversary could potentially read sensitive data or perform limited modifications and disruptions without user assistance.

SolarWinds has published mitigation guidance in the SolarWinds Platform 2024.2 release notes and the associated security advisory on its trust center, directing customers to apply the referenced platform update.

The EPSS score remains flat at 0.0648 with no material increase since disclosure.

EU & UK References

Vulnerability details

The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

solarwinds
solarwinds platform
≤ 2024.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-362

Accurate timestamps from internal clocks enable detection of race conditions by providing reliable event ordering in audit logs.

addresses: CWE-362

Coordination of concurrent security activities reduces the probability that shared resources will be accessed simultaneously without proper synchronization.

References