On July 17, 2024, SolarWinds published a security advisory detailing multiple critical vulnerabilities in its Access Rights Manager (ARM) software. These vulnerabilities were responsibly disclosed to SolarWinds by researchers working with Trend Micro’s Zero Day Initiative (ZDI). The vulnerabilities have CVSS scores ranging between 7.6 to 9.6.
The disclosed vulnerabilities allow for remote code execution (RCE), directory traversal, information disclosure, and authentication bypass. Several of these vulnerabilities allow unauthenticated users to execute commands with SYSTEM privileges, delete arbitrary files, and access sensitive information.
While there have been no reports of these vulnerabilities being exploited in the wild, it is expected that threat actors will attempt to reverse engineer the patches provided by SolarWinds and exploit them in future campaigns. Due to the sensitivity of the data residing within the application, Arctic Wolf strongly recommends upgrading affected instances of SolarWinds Access Rights Manager as soon as possible.
Vulnerabilities
These vulnerabilities were first publicly disclosed on July 17, 2024 by SolarWinds.
| CVE-2024-23470 | CVSS Score: 9.6 – Critical | No Active Exploitation Known | No Public POC Available |
| Remote Code Execution (RCE) – Allows unauthenticated users to run commands and executables. | |||
| CVE-2024-23467 | CVSS Score: 9.6 – Critical | No Active Exploitation Known | No Public POC Available |
| Remote Code Execution (RCE) – Allows unauthenticated remote code execution. | |||
| CVE-2024-23469 | CVSS Score: 9.6 – Critical | No Active Exploitation Known | No Public POC Available | |
| Remote Code Execution (RCE) – Enables unauthenticated users to execute commands with SYSTEM privileges. | ||||
| CVE-2024-23466 | CVSS Score: 9.6 – Critical | No Active Exploitation Known | No Public POC Available | |
| Remote Code Execution (RCE) – Due to directory traversal, allows unauthenticated users to perform actions with SYSTEM privileges. | ||||
| CVE-2024-23465 | CVSS Score: 8.3 – High | No Active Exploitation Known | No Public POC Available | |
| Authentication Bypass – Allows unauthenticated users to gain domain admin access within Active Directory environments. | ||||
| CVE-2024-23475 | CVSS Score: 9.6 – Critical | No Active Exploitation Known | No Public POC Available | |
| Directory Traversal and Information Disclosure – Allows unauthenticated users to delete arbitrary files and access sensitive information. | ||||
| CVE-2024-28993 | CVSS Score: 7.6 – High | No Active Exploitation Known | No Public POC Available | |
| Directory Traversal and Information Disclosure – Permits arbitrary file deletion and leakage of sensitive data. | ||||
| CVE-2024-28992 | CVSS Score: 7.6 – Critical | No Active Exploitation Known | No Public POC Available | |
| Directory Traversal and Information Disclosure – Allows arbitrary file deletion and information leakage. | ||||
| CVE-2024-23468 | CVSS Score: 7.6 – High | No Active Exploitation Known | No Public POC Available |
| Directory Traversal and Information Disclosure – Allows unauthorized file deletion and data leakage. | |||
Recommendations
Upgrade To a Fixed Version of SolarWinds Access Rights Manager
Arctic Wolf strongly recommends upgrading to the fixed version of SolarWinds Access Rights Manager (ARM) to address the critical vulnerabilities. The fixed version is ARM 2024.3.
| Affected Product | Affected Versions | Fixed Version |
| SolarWinds Access Rights Manager (ARM) | Versions prior to ARM 2024.3 | ARM 2024.3 |
Please follow your organization’s patching and testing guidelines to avoid any operational impact.
References
- SolarWinds Patches Multiple Critical Vulnerabilities in Access Rights Manager
- SolarWinds Access Rights Manager 2024.3 Release Notes
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
