CVE-2021-35232

Hard credentials discovered in SolarWinds Web Help Desk which allows to execute Arbitrary Hibernate Queries

Description

Hard coded credentials discovered in SolarWinds Web Help Desk product. Through these credentials, the attacker with local access to the Web Help Desk host machine allows to execute arbitrary HQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.

Remediation

Solution:

  • SolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available.

Category

6.8
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.32%
Vendor Advisory solarwinds.com Vendor Advisory solarwinds.com
Affected: SolarWinds Web Help Desk
Published at:
Updated at:

References

Link Tags
https://www.solarwinds.com/trust-center/security-advisories/CVE-2021-35232 vendor advisory
https://support.solarwinds.com/SuccessCenter/s/article/Web-Help-Desk-12-7-7-Hotfix-1-Release-Notes?language=en_US release notes vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-35232?
CVE-2021-35232 has been scored as a medium severity vulnerability.
How to fix CVE-2021-35232?
To fix CVE-2021-35232: SolarWinds advises the customers to upgrade to the latest Web Help Desk 12.7.7 Hotfix 1 product release once it becomes generally available.
Is CVE-2021-35232 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-35232 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-35232?
CVE-2021-35232 affects SolarWinds Web Help Desk.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.