SolarWinds released security updates to address a critical-severity remote code execution vulnerability, tracked as CVE-2024-28991 (CVSS score of 9.0), in SolarWinds Access Rights Manager (ARM)<\/p>\n\n\n\n
The flaw is a deserialization of untrusted data remote code execution vulnerability\u00a0that impacts ARM 2024.3 and prior versions.<\/p>\n\n\n\n
“SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability.” reads<\/a> the advisory. “If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.”<\/em>
“This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Access Rights Manager. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.” reads the report<\/strong><\/a> published by Trend Micro Zero Day Initiative. “The specific flaw exists within the JsonSerializationBinder class. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM.”<\/em><\/p>\n\n\n\n
The company also addressed<\/a> a hardcoded credential vulnerability, tracked as CVE-2024-28990, in ARM.
SolarWinds addressed the issues with the release of Access Rights Manager (ARM) 2024.3.1<\/a>. <\/p>\n\n\n\n
Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/strong><\/a>
Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n
(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, ARM<\/a>)\u00a0<\/strong><\/p>\n\n\n\n