On 1 March 2024, SolarWinds published a security advisory reporting that SolarWinds Security Event Manager (SEM) is vulnerable to a high severity vulnerability that allows an unauthenticated threat actor to achieve remote code execution (RCE), CVE-2024-0692. The vulnerability lies in the configuration of the AMF deserialisation endpoints. Exploitation can occur due to insufficient validation of user-provided data, allowing untrusted data to be deserialised.
Arctic Wolf has not observed any instances of this vulnerability being exploited in the wild, nor are we aware of any Proof of Concept (PoC) exploits being published. Although there haven’t been direct attacks targeting specific vulnerabilities in SEM in the past, SolarWinds has previously been targeted by threat actors. For instance, in 2020, Russian-nexus threat actors installed backdoors on systems belonging to organisations in their supply chain. Given this vulnerability’s potential for RCE in this product, it is likely that threat actors will target this vulnerability in the near future.
Recommendation for CVE-2024-0692
Upgrade SolarWinds Security Event Manager (SEM) to Fixed Version
Arctic Wolf strongly recommends upgrading SEM to the latest fixed version.
Product | Affected Version | Fixed Version |
SolarWinds Security Event Manager (SEM) | SEM Version 2023.4 and prior | SEM Version 2023.4.1 |
Please follow your organsation’s patching and testing guidelines to avoid operational impact.
References
- SolarWinds Security Advisory (CVE-2024-0692)
- ZDI (CVE-2024-0692)
- CISA Advisory (SolarWinds Compromise)
See other important security bulletins from Arctic Wolf.