SolarWinds Patches Critical RCE Vulnerabilities in Access Rights Manager

February 16, 2024

SolarWinds, a major provider of IT management software, has released patches for five remote code execution (RCE) vulnerabilities found in its Access Rights Manager (ARM) tool. Three of these flaws, identified as CVE-2024-23476, CVE-2024-23479, and CVE-2023-40057, are of critical severity and can be exploited without authentication. The ARM solution is used by businesses to manage and audit access rights across their IT infrastructures, thereby reducing the potential impact of insider threats. The critical vulnerabilities are linked to path traversal weaknesses and the deserialization of untrusted data, which, if exploited, could allow unauthenticated attackers to execute code on unpatched systems.

The remaining two vulnerabilities, CVE-2024-23477 and CVE-2024-23478, can also be exploited for RCE attacks and have been classified as high-severity issues by SolarWinds. Four of the five vulnerabilities were discovered and reported by anonymous researchers collaborating with Trend Micro's Zero Day Initiative (ZDI), with the fifth one identified by ZDI vulnerability researcher Piotr Bazydło.

SolarWinds addressed these vulnerabilities in the 2023.2.3 version of Access Rights Manager, which was released with bug and security fixes. The company has not yet disclosed whether any of these vulnerabilities have been exploited in the wild prior to the release of the patches.

SolarWinds previously patched three other critical RCE vulnerabilities in ARM in October, which could have allowed attackers to execute code with SYSTEM privileges. In 2020, the Russian APT29 hacking group infiltrated SolarWinds' systems and injected malicious code into the SolarWinds Orion IT administration platform. This resulted in the deployment of the Sunburst backdoor on thousands of systems, with a select number of organizations being specifically targeted for further exploitation.

SolarWinds' client base exceeds 300,000 worldwide, including 96% of Fortune 500 companies and various government organizations. Following the disclosure of the supply-chain attack, several U.S. government agencies confirmed they were breached. In April 2021, the U.S. government formally accused the Russian Foreign Intelligence Service (SVR) of orchestrating the SolarWinds cyberattack. In October, the U.S. Securities and Exchange Commission (SEC) charged SolarWinds with defrauding investors by allegedly failing to disclose cybersecurity defense issues prior to the 2020 hack.

Latest News

• CISA Issues Alert on Akira Ransomware Exploiting Cisco ASA/FTD Vulnerability
• Critical Web Application Vulnerabilities Threatening Credit Unions Uncovered by LMG Security
• Critical Security Flaws Leave Over 13,000 Ivanti Gateways at Risk
• CISA Adds Two Microsoft Windows Bugs to Its Known Exploited Vulnerabilities Catalog
• Microsoft Warns of Critical Exchange Server Bug Exploited as Zero-Day