A critical, hardcoded login credential in SolarWinds’ Web Help Desk line has been exploited in the wild by criminals, according to the US Cybersecurity and Infrastructure Security Agency, which has added the security blunder to its Known Exploited Vulnerabilities (KEV) Catalog. This 9.1 CVSS-rated oversight allows remote, unauthenticated attackers to log into vulnerable instances via these baked-in creds, and then access internal functionality and modify sensitive data.

Source: The Register