https://www.solarwinds.com/trust-center/security-advisories en 1728b8efa75d4dbbbf58b60eb3025964 https://www.solarwinds.comhttps://www.solarwinds.com/trust-center/security-advisories/cve-2026-28318 Wed, 03 Jun 2026 03:00:00 GMT e25fa9799ff7401cbffb75e47e901082 https://www.solarwinds.comhttps://www.solarwinds.com/trust-center/security-advisories/cve-2026-28299 Tue, 02 Jun 2026 06:00:00 GMT d5d5a889c474418db3ed83c9e152889a https://www.solarwinds.com/trust-center/security-advisories/openssl-release-announcement-and-security-advisory-7th-apr-2026 04/29/2026 On 7 April 2026, OpenSSL issued a security advisory alongside multiple patch releases addressing several vulnerabilities across supported versions. Learn More > https://www.solarwinds.com/trust-center/security-advisories/openssl-release-announcement-and-security-sdvisory-7th-apr-2026 Wed, 29 Apr 2026 06:00:00 GMT 912faddbb1b14c2a826cedd099fc6311 https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28298 SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution. Thu, 26 Mar 2026 06:00:00 GMT b43d237936f94163b77987266e4609d0 https://www.solarwinds.com/trust-center/security-advisories/cve-2026-28297 SolarWinds Observability Self-Hosted was found to be affected by a stored cross-site scripting vulnerability, which when exploited, can lead to unintended script execution. Wed, 25 Mar 2026 23:00:00 GMT fed2bc4b7ed8481baaed90a55261c7c3 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40541 An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account. This issue requires administrative privileges to abuse. Mon, 23 Feb 2026 23:00:00 GMT e4d3b70698e34a538d6bf131feaea4c9 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40540 CVE-2025-40540 A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. Mon, 23 Feb 2026 23:00:00 GMT d5b73bd28d594d0bbcbc0aed516fb4fc https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40539 A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account. This issue requires administrative privileges to abuse. Mon, 23 Feb 2026 23:00:00 GMT 3538575cc7734392a87db224d0ac76e4 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40538 A broken access control vulnerability exists in Serv-U which when exploited together, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges. This issue requires administrative privileges to abuse. Mon, 23 Feb 2026 23:00:00 GMT a68a761c51094861ae80e30c168ba96f https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40553 Wed, 28 Jan 2026 12:00:00 GMT fe52769888d24906925849187aa8cf0e https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40554 Wed, 28 Jan 2026 12:00:00 GMT e772b37662864c8e8d9a10a8942dbf88 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40536 SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. Wed, 28 Jan 2026 12:00:00 GMT 75f2833b8b324e80b60734bead8c47fb https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40537 SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. Wed, 28 Jan 2026 12:00:00 GMT ddc3c959b48c443788d0829baaf081bf https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40551 SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. Wed, 28 Jan 2026 12:00:00 GMT dd87c9ae38924341ad89cf726316f17d https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40552 SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. Wed, 28 Jan 2026 12:00:00 GMT ca127d0d43874cc38305ab1774dc27e5 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-55182 Wed, 03 Dec 2025 12:00:00 GMT fb342e4e704f4b02aff00eb2b3c8ce4f https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40547 A logic error vulnerability exists in Serv-U which when abused could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. Tue, 18 Nov 2025 12:00:00 GMT cd21a839c30347208a2bf73d8c0b6689 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40548 A missing validation process exists in Serv U when abused, could give a malicious actor with access to admin privileges the ability to execute code. This issue requires administrative privileges to abuse. Tue, 18 Nov 2025 12:00:00 GMT 1fbc301758f94eedad1b29c05eb82b48 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40549 A Path Restriction Bypass vulnerability exists in Serv-U that when abused, could give a malicious actor with access to admin privileges the ability to execute code on a directory. This issue requires administrative privileges to abuse. On Windows systems, this scored as medium due to differences in how paths and home directories are handled. Tue, 18 Nov 2025 12:00:00 GMT b351ae17082c4842a431e60e4ff98b8a https://www.solarwinds.com/trust-center/security-advisories/cve-2025-40545 SolarWinds Observability Self-Hosted is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required. Tue, 18 Nov 2025 12:00:00 GMT 4450a1f34cc24e09b028a5a770a71566 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26391 SolarWinds Observability Self-Hosted XSS Vulnerability. The SolarWinds Platform was susceptible to a XSS vulnerability that affects user-created URL fields. This vulnerability requires authentication from a low-level account. Tue, 18 Nov 2025 12:00:00 GMT b9be5c8ec1f04d61acb005bb1e09f40e https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26392 10/21/2025 SolarWinds Observability Self-Hosted is susceptible to SQL injection vulnerability that may display sensitive data using a low-level account. Learn more > https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26392 Tue, 21 Oct 2025 12:00:00 GMT de9683dfae3844bcb0ca1df410e0ef15 https://www.solarwinds.com/trust-center/security-advisories/npm-supply-chain-vulnerability 09/30/2025 In September 2025, the Node Package Manager (npm) repository was compromised with a widespread software supply chain attack... Lear More > https://www.solarwinds.com/trust-center/security-advisories/npm-supply-chain-vulnerability Tue, 30 Sep 2025 12:00:00 GMT 5bc591ca62cd4a8a8c217e52ee13aa90 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26399 SolarWinds Web Help Desk was found to be susceptible to an unauthenticated AjaxProxy deserialization remote code execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. This vulnerability is a patch bypass of CVE-2024-28988, which in turn is a patch bypass of CVE-2024-28986. Wed, 17 Sep 2025 12:00:00 GMT b06cfa03297842a7a172e8d6b4102697 https://www.solarwinds.com/trust-center/security-advisories/salesloft-drift-security-incident 09/15/2025 SolarWinds has been made aware of a recent data breach involving Salesforce, which resulted in the unauthorized access and theft of sensitive customer data. learn More > https://www.solarwinds.com/trust-center/security-advisories/salesloft-drift-security-incident Mon, 15 Sep 2025 12:00:00 GMT 33cae8d27ab845059359539dc270cb1d https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26398 08/12/2025 SolarWinds Database Performance Analyzer was found to contain a hard-coded cryptographic key… Learn more > https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26398 Tue, 12 Aug 2025 12:00:00 GMT 3297fadd107f4ebbb12f6a32bd13de84 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26400 Tue, 29 Jul 2025 12:00:00 GMT d83e067ff7064fd8b1b372d4d6b57000 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26397 Thu, 24 Jul 2025 12:00:00 GMT f4cc583392084a25ab06f82a3a6826c0 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26394 SolarWinds SWOSH is susceptible to an open redirection vulnerability. The URL is not properly sanitized, and an attacker could manipulate the string to redirect a user to a malicious site. The attack complexity is high, and authentication is required. Tue, 10 Jun 2025 12:00:00 GMT 4226c93e619548328974455d7c505f1d https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26395 Tue, 10 Jun 2025 12:00:00 GMT 923dcdfd48bf4d579474d6dbc81f5b90 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26396 CVE-2025-26396 The SolarWinds DameWare Mini Remote Control was determined to be affected by Incorrect Permissions Local Privilege Escalation Vulnerability. This vulnerability requires local access and a valid low privilege account to be susceptible to this vulnerability. Mon, 02 Jun 2025 12:00:00 GMT 6d447f5994c9446d916d3bbbde3cf6f4 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45712 SolarWinds Serv-U is vulnerable to a client-side cross-site scripting (XSS) vulnerability. The vulnerability can only be performed by an authenticated account, on the local machine, from the local browser session. Therefore the risk is very low. Tue, 15 Apr 2025 12:00:00 GMT 92da062697e24c109ec4c5c337d97112 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-52612 02/11/2025 SolarWinds Platform is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. Learn more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-52612 Tue, 11 Feb 2025 12:00:00 GMT 789f7bfb77714d4f96a27ffab8498ff5 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-52606 02/11/2025 SolarWinds Platform is affected by server-side request forgery vulnerability. Proper input sanitation was not applied allowing for the possibility of a malicious web request. Tue, 11 Feb 2025 12:00:00 GMT 1bb0e43c819146cc9a4d2c1016235d45 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-52611 02/11/2025 The SolarWinds Platform is vulnerable to an information disclosure vulnerability through an error message. While the data does not provide anything sensitive, the information could assist an attacker in other malicious actions. Tue, 11 Feb 2025 12:00:00 GMT 7647ad927dca487884211ad3ae7a2ca0 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45718 Sensitive data could be exposed to non-privileged users in a configuration file. Local access to the computer with a low-privileged account is required to access the configuration file containing the sensitive data. Tue, 11 Feb 2025 12:00:00 GMT 385750be93594119be8a806764a0969c https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28989 SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software. Tue, 11 Feb 2025 12:00:00 GMT 7192eb2cdcae4ebb92b1a48944dd4910 https://www.solarwinds.com/trust-center/security-advisories/cve-11111 Mon, 06 Jan 2025 12:00:00 GMT b2716900da7d4628bbb915f9da632d36 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45709 10/12/2024 SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited. Learn more here > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45709 Tue, 10 Dec 2024 12:00:00 GMT a3284d30b8f3480c95028fe5ccb78cf5 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45717 12/4/2024 The SolarWinds Platform was susceptible to a XSS vulnerability that affects the search and node information section of the user interface. This vulnerability requires authentication and requires user interaction. Learn more here > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45717 Wed, 04 Dec 2024 12:00:00 GMT c3578384c026436888badbdf2b66065c https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45715 The SolarWinds Platform was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. Thu, 17 Oct 2024 12:00:00 GMT d852647a46564dceacff53f0903dce40 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45710 Thu, 17 Oct 2024 12:00:00 GMT 8119cd76c1ba47bdb2c70d9fa295682c https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45714 Serv-U 15.4.2.3 and earlier Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users’ permissions can modify a variable with a payload. Wed, 16 Oct 2024 12:00:00 GMT b3cd0583dee243ca97bfa2ab9504bd14 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45711 Wed, 16 Oct 2024 12:00:00 GMT c60d5de7662b40f08cab7e8433e3cd2b https://www.solarwinds.com/trust-center/security-advisories/cve-2024-45713 SolarWinds Kiwi CatTools is susceptible to a sensitive data disclosure vulnerability when a non-default setting has been enabled for troubleshooting purposes. Wed, 16 Oct 2024 12:00:00 GMT 0e92571b937b4f4f94f140e5203c9100 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28988 SolarWinds Web Help Desk was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. Tue, 15 Oct 2024 12:00:00 GMT 45877fb9b71a4fc488ea550aec0a1f64 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28990 09.12.2024 SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28990 Thu, 12 Sep 2024 12:00:00 GMT 6286486eda764a4e808dc757a3a2cd6d https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28991 09.12.2024 SolarWinds Access Rights Manager was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28991 Thu, 12 Sep 2024 12:00:00 GMT add943d492f44f38a3f34cc845dca22b https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28987 The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data. Thu, 22 Aug 2024 12:00:00 GMT 25a27dfc7d3e472aa936eb17626a1aab https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28986 SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. Fri, 09 Aug 2024 12:00:00 GMT 308bb49f9a074c54a1ed0515668d4dbb https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28993 The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information. Wed, 17 Jul 2024 12:00:00 GMT 4593b1ee6e67477f9ecec82e3418194e https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23468 The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information. Wed, 17 Jul 2024 12:00:00 GMT 867a22436ed0417eb32bea493a916395 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23475 The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information. Wed, 17 Jul 2024 12:00:00 GMT 1f19d4a1940a45e4b442609822076ce2 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23466 SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. Wed, 17 Jul 2024 12:00:00 GMT dff4ea1613ab4b8584efdf74d2cc7cc9 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28992 07.17.2024 The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28992 Wed, 17 Jul 2024 12:00:00 GMT 207e30c01e0e4988bf2824f0d968ab14 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23472 07.17.2024 SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23472 Wed, 17 Jul 2024 12:00:00 GMT 57f0ce498a804eaf8d3e801d2b900e17 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28074 It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability. Wed, 17 Jul 2024 12:00:00 GMT b9076f48944149cf8bf2b38220e25590 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23469 SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges. Wed, 17 Jul 2024 12:00:00 GMT 7cc0741e97f047e5b90a45883c62558b https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23465 The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment. Wed, 17 Jul 2024 12:00:00 GMT 4065d41314da4c8db1a207a710bfa663 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23467 07.17.2024 The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23467 Wed, 17 Jul 2024 12:00:00 GMT 9f53302edd8247f7a92c8cdae9e31c5c https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23470 The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables. Wed, 17 Jul 2024 12:00:00 GMT 9c21fee13a014b048d546a0ee53cd0af https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23474 The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. Wed, 17 Jul 2024 12:00:00 GMT 2fdd3372463149e88f554a2eab6f173b https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23471 07.17.2024 The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23471 Wed, 17 Jul 2024 12:00:00 GMT 5e149ccc81e84ba5bf1cb499f4d9aa4e https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28995 SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine. Wed, 05 Jun 2024 12:00:00 GMT e74f874167504989ba5f993a2058528f https://www.solarwinds.com/trust-center/security-advisories/cve-2024-29004 06.04.2024 The SolarWinds Platform was determined to be affected by a stored cross-site scripting vulnerability affecting the web console. High-privileged user credentials are needed, and user interaction is required to exploit this vulnerability. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-29004 Tue, 04 Jun 2024 12:00:00 GMT b81e41c913824e20aac6721eb1402a61 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28999 The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console. Tue, 04 Jun 2024 12:00:00 GMT 117e63154c0c4bd4af33f0e0b32bb9c4 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28996 The SolarWinds Platform was determined to be affected by a SWQL Injection Vulnerability. Attack complexity is high for this vulnerability. Tue, 04 Jun 2024 12:00:00 GMT 1c6bcf8847434c59a35fc6bc37d47b6f https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28075 05.09.2024 The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28075 Thu, 09 May 2024 12:00:00 GMT 7d1f3505b6ac4e76adb8f74eb520e2dc https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23473 05.09.2024 The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23473 Thu, 09 May 2024 12:00:00 GMT d0334c85a70d4165932bcfbc97d7aa1c https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28072 05.03.2024 A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly. https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28072 Fri, 03 May 2024 12:00:00 GMT 86b193275ac142728038943deef3a093 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-29000 05/20/2024 The SolarWinds Platform was determined to be affected by a reflected cross-site scripting vulnerability affecting the web console. A high-privileged user and user interaction is required to exploit this vulnerability. CVE-2024-29000 > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-29000 Thu, 18 Apr 2024 12:00:00 GMT f364c09d4e7a4edb925116a663eb41fb https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28076 04.18.2024 The SolarWinds Platform was susceptible to an arbitrary open redirection vulnerability. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28076 Thu, 18 Apr 2024 12:00:00 GMT f12427e2d48148febd23159cc5852f5b https://www.solarwinds.com/trust-center/security-advisories/cve-2024-29003 04.18.2024 The SolarWinds Platform was susceptible to an XSS vulnerability that affects the maps section of the user interface. This vulnerability requires authentication and requires user interaction. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-29003 Thu, 18 Apr 2024 12:00:00 GMT aaa4dc5e7b7e4d1c98a3240166d798a6 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-29001 04/18/2024 A SolarWinds Platform SWQL Injection Vulnerability was identified in the user interface. This vulnerability requires authentication and user interaction to be exploited. Thu, 18 Apr 2024 12:00:00 GMT badd31ca8f97477ca7c58917ca042a69 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28073 4/17/2024 SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2024-28073 Wed, 17 Apr 2024 12:00:00 GMT e0000ed950f64f81a5b751bc98224245 https://www.solarwinds.com/trust-center/security-advisories/cve-dre-advisory 04/10/2024 SolarWinds has discovered a fake website is currently being used by bad actors with the goal of stealing Dameware Remote Everywhere customer account login information. Wed, 10 Apr 2024 12:00:00 GMT 2a78a038e9aa425eab0784309d08c4b8 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-0692 02/29/2024 The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution. Fri, 01 Mar 2024 12:00:00 GMT be6268729fce4d44af9e96eb09306642 https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23479 02/06/2024 SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution. Tue, 06 Feb 2024 12:00:00 GMT 7a67d5779752460bb119e230e5cacf0d https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23478 02/06/2024 SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution. Tue, 06 Feb 2024 12:00:00 GMT 4f991e1ef2d3442ab360616a6d2b537d https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23477 02/06/2024 The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution. Tue, 06 Feb 2024 12:00:00 GMT 1c362a01ea63450cbb983c20c35fc88f https://www.solarwinds.com/trust-center/security-advisories/cve-2024-23476 02/06/2024 The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution. Tue, 06 Feb 2024 12:00:00 GMT c0bd489c27c6459898a94bfb3d8a9090 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-50395 02/06/2024 SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited and has not been reported outside of the initial report by the researcher Tue, 06 Feb 2024 12:00:00 GMT cf43ee25b7c84dbea2ee0595482c26f8 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40057 The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution. Tue, 06 Feb 2024 12:00:00 GMT 4a94f30ef1034578ade4b2b2aba620eb https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35188 02/06/2024 SQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited and has not been reported outside of the initial report by the researcher. Tue, 06 Feb 2024 12:00:00 GMT 03ec648e164c4fe38ba87e627ea42f48 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40058 12/20/2023 Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment. Wed, 20 Dec 2023 12:00:00 GMT af72ade29db14bc18af06d6adbc6df3e https://www.solarwinds.com/trust-center/security-advisories/cve-2023-48795 1/29/2024 The SolarWinds Information Security team has been made aware of CVE-2023-48795, a vulnerability concerning OpenSSH, an open source implementation of the SSH protocol, which enables attacker to downgrade authentication and effectively crack the password. Mon, 18 Dec 2023 12:00:00 GMT 53bcd5ee43754a71b2497c7a3d1e2ed2 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40053 12/05/2023 A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously. Tue, 05 Dec 2023 12:00:00 GMT 0f7f4e1126f34b8ea45817251d2c751f https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40056 11.28.2023 SQL Injection Remote Code Vulnerability was found in the SolarWinds Platform. This vulnerability can be exploited with a low privileged account. See more > https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40056 Tue, 28 Nov 2023 12:00:00 GMT 92ffea4f526e4cdd91124182715bc44d https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33228 11/01/2023 The Network Configuration Manager was susceptible to a Sensitive Information Disclosure Vulnerability. Wed, 01 Nov 2023 12:00:00 GMT cba6344eab9a4958a40da25c35e2df9e https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40061 Insecure Job Execution Mechanism Vulnerability CVE-2023-40061 Wed, 01 Nov 2023 12:00:00 GMT 1a79242af63847139de901a0bafc2777 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33226 The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. Wed, 01 Nov 2023 12:00:00 GMT c3a744d6c01d4122820e8e46f970f348 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33227 11/01/2023 The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low- level user to perform the actions with SYSTEM privileges. Wed, 01 Nov 2023 12:00:00 GMT 91d03e99c41c44769d085a2a60522f49 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40062 11/01/2023 SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges. Wed, 01 Nov 2023 12:00:00 GMT a8c903c7987e45e9931059b287a12bfd https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40055 11/01/2023 Directory Traversal Remote Code Execution Vulnerability Wed, 01 Nov 2023 12:00:00 GMT 18cb6c0a439f43d2aeb807cb0e8d45d8 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40054 11/01/2023 The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows a low-level user to perform the actions with SYSTEM privileges. Wed, 01 Nov 2023 12:00:00 GMT e0aebcb7687749cf9b6fe5a84f4ab585 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-46604 10/27/2023 Threat actors are taking advantage of insecure deserialization in Apache ActiveMQ, which allows them to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause the broker to instantiate any class on the classpath. Read more > https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-46604 Fri, 27 Oct 2023 12:00:00 GMT 732daa690d554a94af643786d6c65dc1 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35180 10/18/2023 The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API. Wed, 18 Oct 2023 12:00:00 GMT a41de5d835764079930726c2079203db https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35184 10/20/2023 The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution. Wed, 18 Oct 2023 12:00:00 GMT 7f10a6f1d0d24570abd61ad3ce70b613 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35183 10/18/2023 The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation . Wed, 18 Oct 2023 12:00:00 GMT 57c1cdae43724dceb07f4cc23ef921c8 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35187 10/18/2023 The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution. Wed, 18 Oct 2023 12:00:00 GMT 361c5c2d86144650bf795e0c7394da34 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35186 10/18/2023 The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. Wed, 18 Oct 2023 12:00:00 GMT b5dfcbde7e3c49518ca19f9a98ec4d36 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35185 10/18/2023 The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges. Wed, 18 Oct 2023 12:00:00 GMT 8b8c49573d684f9099eac695350aafb5 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35182 10/20/2023 The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server. Wed, 18 Oct 2023 12:00:00 GMT 9cc76a6bcbc04c3c94e9d0c9ca7835e1 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35181 10/18/2023 The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation. Wed, 18 Oct 2023 12:00:00 GMT 0e17cfd5188e4524986f96c57c827e32 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-44487 10/10/2023 If exploited, this HTTP/2 vulnerability allows malicious actors to launch a DDoS attack targeting HTTP/2 servers. The attack sends a set number of HTTP requests using HEADERS followed by RST_STREAM and repeats this pattern to generate a high volume of traffic on the targeted HTTP/2 servers. By packing multiple HEADERS and RST_STREAM frames in a single connection, attackers can cause a significant increase in the request per second and high CPU utilization on the servers that eventually can cause resource exhaustion. Tue, 10 Oct 2023 12:00:00 GMT 7a8165d0a84a41fdab6a64a02f0ca1d5 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-40060 A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. Wed, 30 Aug 2023 12:00:00 GMT a99d56aa8d6d470da6be1edf460e898d https://www.solarwinds.com/trust-center/security-advisories/cve-2023-35179 A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. Fri, 04 Aug 2023 12:00:00 GMT 319e89079daf44dd88b8c71891470351 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33231 07/18/2023 XSS attack was possible in DPA 2023.2 due to insufficient input validation. Tue, 18 Jul 2023 12:00:00 GMT b355fea1a44949ff9e9e99650613b908 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-3622 25/7/23 An Access Control Bypass Vulnerability exists in the SolarWinds Platform that, if exploited, could allow an underprivileged user to read an arbitrary resource. Tue, 18 Jul 2023 12:00:00 GMT fe2eb97272014c968cb011d2b9f0310c https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33224 The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges. Tue, 18 Jul 2023 12:00:00 GMT 1fdd50ca8e574924a7e7832c342d7a53 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23844 The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges. Tue, 18 Jul 2023 12:00:00 GMT 4e55ab87dd1b4251a1459e026689f220 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23840 07/18/2023 The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges. Tue, 18 Jul 2023 12:00:00 GMT 703f7214cd5c4a26a4c3e22f08242f10 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33229 07/19/2023 The SolarWinds Platform was found to be susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML. Tue, 18 Jul 2023 12:00:00 GMT 937b259fd4f244a1a133f34fc0d05fa6 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-33225 07/18/2023 The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges. Tue, 18 Jul 2023 12:00:00 GMT 9c5e02c3bb5e47eaa034f714b2b1d7fb https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23845 07/18/2023 The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges. Tue, 18 Jul 2023 12:00:00 GMT 37953f27e37c443e8ca7e14dab6ed48c https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23843 07/19/2023 The SolarWinds Platform was found to be susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands. Tue, 18 Jul 2023 12:00:00 GMT 797ddff2a5e34ed2af16d6d0ce30d2de https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23842 07/19/2023 The SolarWinds Network Configuration Manager was found to be susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands. Tue, 18 Jul 2023 12:00:00 GMT 596f2c8eb86f48c78f16cf4ca5508816 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23841 SolarWinds Serv-U submits an HTTP request when changing or updating the File Share or File request attributes. Wed, 17 May 2023 12:00:00 GMT f7b027a3a57646c9805b5e5510ef3eef https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23839 The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.Affected ProductsSolarWinds Platform 2023.1 and prior versionsFixed Software ReleaseSolarWinds Platform 2023.2WorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available Thu, 20 Apr 2023 12:00:00 GMT ea317233e5144a29acf2953d742a8560 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47505 The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.Affected ProductsSolarWinds Platform 2023.1 and earlierFixed Software ReleaseSolarWinds Platform 2023.2AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeWorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available Tue, 18 Apr 2023 12:00:00 GMT b6db7035f6024c09bd24db69026f3d0f https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47509 The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.Affected ProductsSolarWinds Platform 2023.1 and earlierFixed Software ReleaseSolarWinds Platform 2023.2AcknowledgmentsJuampa Rodriguez (@UnD3sc0n0c1d0)WorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available Tue, 18 Apr 2023 12:00:00 GMT 08512c1b368c4fa3ac61e66e27699051 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963 The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.Affected ProductsSolarWinds Platform 2023.1 and earlierFixed Software ReleaseSolarWinds Platform 2023.2AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeWorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version 2023.2 as soon as it becomes available Tue, 18 Apr 2023 12:00:00 GMT af3f33773605409ea0fa4ee2074601a1 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23837 No exception handling vulnerability which revealed sensitive or excessive information to users.Affected ProductsDatabase Performance Analyzer (DPA) 2022.3 and previous versions Fixed Software ReleaseDatabase Performance Analyzer (DPA) 2023.2 Tue, 18 Apr 2023 12:00:00 GMT bd2843355e714c9180e969498cb259a7 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23838 Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.Affected ProductsDatabase Performance Analyzer (DPA) 2022.3 and previous versionsFixed Software ReleaseDatabase Performance Analyzer (DPA) 2023.2 Tue, 18 Apr 2023 12:00:00 GMT 3432946c3c314df895f4fee67e346ca9 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38111 02.15.2023 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38111 Wed, 15 Feb 2023 12:00:00 GMT ca79ec218a894b838bfde5302e360df9 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47506 01.18.2023 SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. http://www.solarwinds.com/trust-center/security-advisories/cve-2022-47506 Wed, 15 Feb 2023 12:00:00 GMT a0432753d8f247768a5b9cc01cbbe2b7 https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23836 02.15.2023 SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. https://www.solarwinds.com/trust-center/security-advisories/cve-2023-23836 Wed, 15 Feb 2023 12:00:00 GMT 6e1b377ca5a7485ab657999760ca3702 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47507 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.Affected ProductsSolarWinds Platform 2022.4.1Fixed Software ReleaseSolarWinds Platform 2023.1AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeWorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version 2023.1 as soon as it becomes available Wed, 15 Feb 2023 12:00:00 GMT bd0802d87f4d4100b53d8928c0805777 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47504 02.15.2023 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47504 Wed, 15 Feb 2023 12:00:00 GMT 6ca760f74b45455ca2a42a5a71329097 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47503 01.19.2023 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. http://www.solarwinds.com/trust-center/security-advisories/cve-2022-47503 Wed, 15 Feb 2023 12:00:00 GMT a684243623854f8ea1a253a164862f7a https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47508 02.14.2023 Disable NTLM: SAM 2022.4. https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47508 Wed, 15 Feb 2023 12:00:00 GMT 16a8b1082400490199819c21add46918 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38112 01.18.2023 In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext. http://www.solarwinds.com/trust-center/security-advisories/cve-2022-38112 Wed, 18 Jan 2023 12:00:00 GMT 73aa2e24eb5b4b6e9cd0003298cd3fb8 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38110 01.18.2023 In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting. https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38110 Wed, 18 Jan 2023 12:00:00 GMT a7b792647c684078be0d67777e64612b https://www.solarwinds.com/trust-center/security-advisories/cve-2022-47512 Sensitive information was stored in plain text in a file. The file is accessible by a local account who specifically has been given access to the application server Fri, 16 Dec 2022 12:00:00 GMT 30974d51e23f46408d84ab10ce77d913 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38106 Cross-site scripting vulnerability in Serv-U versions 15.3.0 to 15.3.1 The vulnerability happens when a non-privileged user creates a new folder in Serv-U web client option and enters the payload.Affected ProductsServ-U 15.3.0Serv-U 15.3.1Fixed Software ReleaseServ-U 15.3.2AcknowledgmentsBalaji Ayyasamy Thu, 15 Dec 2022 12:00:00 GMT 5a3cc879c2ba41e58fbea4677b3e57fb https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35252 Common encryption key is used across all deployed instances of Serv-U FTP Server. This could lead to a security risk relating to user accounts.Affected ProductsServ-U 15.3.0 and earlierFixed Software ReleaseServ-U 15.3.2AcknowledgmentsSecureWorks Disclosure Team Thu, 15 Dec 2022 12:00:00 GMT 7ff8e71e822345df943b692d45322b5b https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35246 The application fails to prevent users from connecting to it over unencrypted connections. An attacker able to modify a legitimate user's network traffic could bypass the application's use of SSL/TLS encryption, and use the application as a platform for attacks against its users.Affected ProductsETS 2020.2.6 HF4  Fixed Software ReleaseEngineer’s Toolset 2022.4 Desktop AcknowledgmentsJusto Socarras Tue, 22 Nov 2022 12:00:00 GMT a7b5ce423d394b70b459ba4a40d9ebff https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36960 SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.Affected ProductsSolarWinds Platform 2022.3 and earlierOrion Platform 2020.2.6 HF5 and earlierFixed Software ReleaseSolarWinds Platform 2022.4AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeWorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version 2022.4 as soon as it becomes available Tue, 22 Nov 2022 12:00:00 GMT 6400309d75084a0cbdf56d76a9d2faf4 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36964 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.Affected ProductsSolarWinds Platform 2022.3 and earlierOrion Platform 2020.2.6 HF5 and earlierFixed Software ReleaseSolarWinds Platform 2022.4AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day InitiativeWorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version 2022.4 as soon as it becomes available Tue, 22 Nov 2022 12:00:00 GMT 16130057c8cf4f8e95612194ab051d4b https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36962 SolarWinds Platform was susceptible to Command Injection. This vulnerabilityallows a remote adversary with complete control over the SolarWinds databaseto execute arbitrary commands. Affected ProductsSolarWinds Platform 2022.3 and earlierOrion Platform 2020.2.6 HF5 and earlier Fixed Software ReleaseSolarWinds Platform 2022.4 AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative WorkaroundsSolarWinds recommends customers upgrade to SolarWinds Platform version2022.4 as soon as it becomes available Tue, 22 Nov 2022 12:00:00 GMT 830ab5d2bd704dfd931afeccdd7e07dc https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38115 Insecure method vulnerability in which allowed HTTP methods are disclosed. E.g., OPTIONS, DELETE, TRACE, and PUTAffected ProductsSEM 2022.2 and previous versionsFixed Software ReleaseSEM 2022.4 Tue, 22 Nov 2022 12:00:00 GMT 81b5c7ba0ea1475ebed141787fd6a244 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38113 This vulnerability discloses build and services versions in the server response header.Affected ProductsSEM 2022.2 and previous versions Fixed Software ReleaseSEM 2022.4 Tue, 22 Nov 2022 12:00:00 GMT 2daf8fe696c04055bfcacdff366d2fb6 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38114 This vulnerability occurs when a web server fails to correctly process the Content-Length of POST requests. This can lead to HTTP request smuggling or XSS.Affected ProductsSEM 2022.2 and previous versionsFixed Software ReleaseSEM 2022.4AcknowledgmentsKen Pyle-CYBIR Tue, 22 Nov 2022 12:00:00 GMT c6f4aa04998e496ea8dc9790198547dc https://www.solarwinds.com/trust-center/security-advisories/cve-2022-3602-and-cve-2022-3786 October 25, 2022, the OpenSSL Project announced the forthcoming release of OpenSSL version 3.0.7. to address the vulnerability assessed with the severity of high.November 1, 2022, the OpenSSL Project released the OpenSSL 3.0.7 version and details about CVE-2022-3602 and CVE-2022-3786 have been released.SolarWinds investigated all products and infrastructure to identify the versions of OpenSSL utilized Tue, 01 Nov 2022 12:00:00 GMT bf140208d45e41b1ae5a8dfbbc641034 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-42889 UPDATE October 27, 2022: Updated to announce our evaluation of our free tools portfolio is complete and they are not affected by this vulnerability. We have also added Security & Event Manager (SEM) to the list of SolarWinds products which use Apache Commons Text4Shell, but do not use the vulnerable methods.The Apache Software Foundation emailed their security email distro with a security advisory message regarding CVE-2022-42889 and provided mitigation guidance to upgrade to Apache Commons Text 1.10.0 Wed, 26 Oct 2022 12:00:00 GMT 328783d5d8fc487397ca3e69a1d97581 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38108 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.Affected ProductsSolarWinds Platform 2022.3 and earlierOrion Platform 2020.2.6 HF5 and earlierFixed Software ReleaseSolarWinds Platform 2022.4 RC1AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative Wed, 19 Oct 2022 12:00:00 GMT 4958cdd84ad443e19a4168460153fb34 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36958 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.Affected ProductsSolarWinds Platform 2022.3 and earlierOrion Platform 2020.2.6 HF5 and earlierFixed Software ReleaseSolarWinds Platform 2022.4 RC1AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative Wed, 19 Oct 2022 12:00:00 GMT 92da96f22d0a4e489af54cdf81a80341 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36957 SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.Affected ProductsSolarWinds Platform 2022.3 and earlierOrion Platform 2020.2.6 HF5 and earlierFixed Software ReleaseSolarWinds Platform 2022.4 RC1AcknowledgmentsPiotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative Wed, 19 Oct 2022 12:00:00 GMT 49e520dbdb314ff5bc9b763af3d93a7c https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36966 Users with Node Management rights were able to view and edit all nodes due to Insufficient control on URL parameter causing insecure direct object reference (IDOR) vulnerability in SolarWinds Platform 2022.3.Affected ProductsSolarWinds Platform 2022.3 and previousOrion Platform 2020.2.6 HF5 and previousFixed Software ReleaseSolarWinds Platform 2022.4 RC1AcknowledgmentsAsim Liaquat Wed, 19 Oct 2022 12:00:00 GMT 1162524e564f4ca9ab4ae6fdb8454c39 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-38107 Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details Tue, 18 Oct 2022 12:00:00 GMT e6a0e3e0a69c4d9782efb141c7fbbd06 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36965 Insufficient sanitization of inputs in QoE application input field could lead to stored and DOM based XSS attack. This issue is fixed and is part of the latest release for SolarWinds Platform (2022.3)Affected ProductsOrion Platform 2022.2 and earlierFixed Software ReleaseSolarWinds Platform 2022.3AcknowledgmentsShashank Chaurasia Wed, 28 Sep 2022 12:00:00 GMT 8bab987f27b04e3189fe9ec79dc5336f https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36961 A component of Orion Platform was found to be vulnerable to SQL Injection attacks. An authenticated attacker could leverage this for privilege escalation or remote code execution.Affected ProductsOrion Platform 2022.2 and earlierFixed Software Release SolarWinds Platform 2022.3 Wed, 28 Sep 2022 12:00:00 GMT 35f6803004c74f909998c17515b4cc7d https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35226 An entity in Network Configuration Manager (NCM) product is misconfigured and exposes password field to Solarwinds Information Service (SWIS). Exposed credentials are encrypted and require authenticated access with an NCM role Wed, 28 Sep 2022 12:00:00 GMT 0fbc10a0556f44d992922a3c62f04e77 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35249 This broken access control vulnerability pertains specifically to a domain admin who can access configuration & user data of other domains which they should not have access to. Please note the admin is unable to modify the data (read only operation).This UAC issue leads to a data leak to unauthorized users for a domain, with no log of them accessing the data unless they attempt to modify it Tue, 17 May 2022 12:00:00 GMT 443f896aab304e54bde1e2b67c8d226a https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35229 Cross-site scripting vulnerability in Database Performance Monitor 2022.1 using SQL query.Affected ProductsDPA 2022.1 and previous versionsFixed Software ReleaseDPA 2022.2 Tue, 19 Apr 2022 12:00:00 GMT ac6b576a28fa431f91c4c94ec14f9a8f https://www.solarwinds.com/trust-center/security-advisories/spring4shell On Tuesday, March 29, news of potential vulnerabilities in the Spring Framework was surfaced. Thu, 31 Mar 2022 12:00:00 GMT 1eaad7fb0f68421c9c026e10824fdd23 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35254 SolarWinds received a report of a vulnerability related to an input that was not sanitized in Web Help Desk.SolarWinds has removed this input field to prevent the misuse of this input in the future. Affected ProductsWeb Help Desk versions 12.7.8 and earlier Fixed Software ReleaseWeb Help Desk 12.7.8 HF1 Thu, 24 Mar 2022 12:00:00 GMT a9fd1b099d724164be481a33d4ee7f9f https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35250 An external security researcher reported a Directory Transversal Vulnerability in Serv-U 15.3. If exploited, this vulnerability could allow access to files relating to the Serv-U installation and server files Wed, 02 Mar 2022 12:00:00 GMT 4f4388bc7d6d46c99289cefa12925685 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35251 Sensitive information could be displayed when a detailed technical error message is posted. This information could disclose environmental details about the Web Help Desk installation.Affected ProductsWHD 12.7.7 H1 and previous versionsFixed Software ReleaseWHD 12.7.8AcknowledgmentsAnthony Meluso Tue, 15 Feb 2022 12:00:00 GMT 943374b6eba74959875407313f6d2a33 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35247 The Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized. SolarWinds has updated the input mechanism to perform additional validation and sanitization.Please Note: No downstream affect has been detected as the LDAP servers ignored improper characters.To insure proper input validation is completed in all environments, SolarWinds recommends scheduling an update to the latest version of Serv-U. Affected Products15.2.5 and previous versions  Fixed Software Release Serv-U 15.3  Acknowledgments Jonathan Bar Or of Microsoft (@yo_yo_yo_jbo) Tue, 18 Jan 2022 12:00:00 GMT 817ac9c81f044b62b9edb38078c11f8b https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35243 HTTP PUT & DELETE Methods EnabledAffected ProductsWeb Help Desk 12.7.6 and earlierFixed Software ReleaseWeb Help Desk 12.7.7 HF1 Fri, 24 Dec 2021 12:00:00 GMT c2c78a89ebe74abaae22ba149c9cc37d https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35244 The "Log alert to a file" action within action management enables any Orion user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution Mon, 20 Dec 2021 12:00:00 GMT 0a771443618f46fab569a5feb06d0ba0 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35248 Insecure permissions allow low-privilege Orion users to query the  Orion.UserSettings SWIS entity. This will present usernames and basic user settings Mon, 20 Dec 2021 12:00:00 GMT 15ece16d158d48f99a6856470ee04c01 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35234 Numerous exposed dangerous functions within Orion Core allows for read-only SQL injection leading to privileged escalation. An attacker with low-user privileges may steal password hashes and password salt information.Affected ProductsOrion Platform 2020.2.6 HF2 and earlierFixed Software ReleaseOrion Platform 2020.2.6 HF3AcknowledgmentsTrend Micro, Zero Day Initiative Mon, 20 Dec 2021 12:00:00 GMT d79f94b43d6d49ef868678e78adf0582 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-4104 JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228 Fri, 17 Dec 2021 12:00:00 GMT 52854df0054b4a54b5270de22c8000ac https://www.solarwinds.com/trust-center/security-advisories/cve-2021-45046 It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allow attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments Tue, 14 Dec 2021 12:00:00 GMT d51edf0f9828408da22948940f863318 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-44228 UPDATE January 14, 2022: Updated to announce the availability of the DPA hotfixes released December 28, 2021. Sun, 12 Dec 2021 12:00:00 GMT 0f52a2b9e48a49b0a510fbae71dee770 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35242 Serv-U server responds with valid CSRF Token when the request contains only Session.Affected ProductsServ-U 15.2.4 HF1 and previous versionsFixed Software ReleaseServ-U 15.2.5 Fri, 03 Dec 2021 12:00:00 GMT 361291c728bd48eabe7e43dcaca1ee49 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35245 When a user has admin rights in Serv-U Console, the user can move, create, and delete any files that are able to be accessed on the Serv-U host machine.Affected ProductsServ-U 15.2.4 HF1 and previous versionsFixed Software ReleaseServ-U 15.2.5 Thu, 02 Dec 2021 12:00:00 GMT e3471382a6d74aa5a967f0616e933d57 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35230 As a result of an unquoted service path vulnerability present in the Kiwi CatTools Installation Wizard, a local attacker could gain escalated privileges by inserting an executable into the path of the affected service or uninstall entry.Affected ProductsKiwi CatTools 3.11.8 and earlier Fixed Software ReleaseKiwi CatTools 3.12 Tue, 19 Oct 2021 12:00:00 GMT 26725ba7a2c44a7197af53dfb9d6d4dc https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35231 As a result of an unquoted service path vulnerability present in the Kiwi Syslog Server Installation Wizard, alocal attacker could gain escalated privileges by inserting an executable into the path of the affected serviceor uninstall entry.Example vulnerable path: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Kiwi SyslogServer\Parameters\ApplicationAffected ProductsKiwi Syslog Server 9.7.2 and earlierFixed Software ReleaseKiwi Syslog Server 9.8AcknowledgmentsDavid RickardDanijel Grah Tue, 19 Oct 2021 12:00:00 GMT a7de9e2950894bbdb4925d62d77bb4f0 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35228 The vulnerability occurred due to missing input sanitization for one of the output fields extracted from headers on a specific section of a page. An attacker would need to perform a “Man in the Middle” attack to change a header for a remote victim Tue, 19 Oct 2021 12:00:00 GMT d7d6a7c0b4534e65be6f34dfa2b66335 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35225 Each authenticated Orion user in the MSP (Managed Service Provider) environment can view and browse all NetPathServices from all MSP's customers. This can lead to any user having a limited insight into other customers'infrastructure and potential data cross-contamination.Affected ProductsNetwork Performance Monitor 2020.2.6 HF1 and earlierFixed Software ReleaseNetwork Performance Monitor 2020.2.6 HF2AcknowledgmentsPreston DeasonChad LarsenZachary Riezenman Tue, 19 Oct 2021 12:00:00 GMT b9b08eb4ad0b407a8d0061bc05629df4 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35236 The Secure flag is not set in the SSL Cookie of Kiwi Syslog Server 9.7.2 and previous versions. The Secure attribute tells the browser to only send the cookie if the request is being sent over a secure channel such as HTTPS Tue, 19 Oct 2021 12:00:00 GMT d45ffd6cfa4742d99927ac7c6f0cd65b https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35227 Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.Affected ProductsAccess Rights Manager 2020.2.6 and earlierFixed Software ReleaseAccess Rights Manager 2021.4 Tue, 19 Oct 2021 12:00:00 GMT 4e45a87b8a0b408b8565b0b177d3e477 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35233 The HTTP TRACK & TRACE methods were enabled in Kiwi Syslog Server 9.7.2 and earlier. These methods are intended for diagnostic purposes only Tue, 19 Oct 2021 12:00:00 GMT 62d5cf2fb7fd4639b1b54ab2cca30bc4 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35237 A missing HTTP header (X-Frame-Options) in Kiwi Syslog Server has left customers vulnerable to click jacking.Clickjacking is an attack that occurs when an attacker uses a transparent iframe in a window to trick a userinto clicking on an actionable item, such as a button or link, to another server in which they have an identicalwebpage. The attacker essentially hijacks the user activity intended for the original server and sends them tothe other server Tue, 19 Oct 2021 12:00:00 GMT 8678db9771c64422b76879bb15e8f3a4 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35235 The ASP.NET debug feature is enabled by default in Kiwi Syslog Server 9.7.2 previous versions. ASP.NET allows remote debugging of web applications, if configured to do so Tue, 19 Oct 2021 12:00:00 GMT b1d07e4410b645b18f6d4905443726ae https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35214 The vulnerability can be described as a failure to invalidate user sessions upon password or email address change. It was observed when running multiple active sessions in separate browser windows Mon, 13 Sep 2021 12:00:00 GMT 956d21d34cfa46d2bbc0b7b44837607e https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35232 Hard-coded credentials discovered in SolarWinds Web Help Desk. Through these credentials, an attacker with local access to the Web Help Desk host machine could be allowed to execute arbitrary HSQL queries against the database and leverage the vulnerability to steal the password hashes of the users or insert arbitrary data into the database.Affected ProductsWeb Help Desk 12.7.6 and previous versionsFixed Software ReleaseWeb Help Desk 12.7.7 Hotfix 1AcknowledgmentsShubham Shah Mon, 13 Sep 2021 12:00:00 GMT 193d89813ce5473d8c8b0eebee0cd9df https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35217 Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI.  An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.Affected ProductsPatch Manager 2020.2.5 and earlierFixed Software ReleasePatch Manager 2020.2.6 HF1AcknowledgmentsJangggggg working with Trend Micro Zero Day Initiative Fri, 20 Aug 2021 12:00:00 GMT 8972bdb740624a25a19e6f00d4fc87e4 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35223 An attacker can abuse the FTP command SITE EXEC for command line obfuscation to conceal the payload which can launch remote code execution (RCE) from the Serv-U Server.Affected ProductsServ-U 15.2.3 and earlierFixed Software ReleaseServ-U 15.2.4AcknowledgmentsExodus Intelligence (exodusintel.com) Fri, 20 Aug 2021 12:00:00 GMT f9623a6220004b1aa62bec9d8ef15de3 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-32076 It is possible to access “Web Help Desk Getting Started Wizard” specially in admin account creation page from non-privileged IP range or loopback by interception of the HTTP request and change the referrer from the public IP to the loopback "http://127.0.0.1:8081".Affected ProductsWeb Help Desk 12.7.2 and earlierFixed Software ReleaseWeb Help Desk 12.7.6 AcknowledgmentsMoaaz Taha Fri, 20 Aug 2021 12:00:00 GMT e339b722f2504abd89918fa5dcec216d https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35239 A security researcher found a user with Orion map manage rights could store XSS through the text box hyperlink. Affected ProductsOrion Platform 2020.2.5 and earlierFixed Software ReleaseOrion Platform 2020.2.6 HF1AcknowledgmentsKajetan Rostojek Tue, 20 Jul 2021 12:00:00 GMT 69dc25ba99574315828f5dcf8965e7b9 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35240 A security researcher found a stored XSS via a Help Server setting. This affects customers using Internet Explorer because they do not support 'rel=noopener'Affected ProductsOrion Platform 2020.2.5 and earlierFixed Software ReleaseOrion Platform 2020.2.6 HF1AcknowledgmentsKajetan Rostojek Tue, 20 Jul 2021 12:00:00 GMT 4d566cb0c7934a29b7b64964a62175ad https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35238 A security researcher found a user with Orion admin rights could store XSS through URL POST parameter in CreateExternalWebsite website.Affected ProductsOrion Platform 2020.2.5 and earlierFixed Software ReleaseOrion Platform 2020.2.6 HF1AcknowledgmentsKajetan Rostojek Tue, 20 Jul 2021 12:00:00 GMT 8e2b38f31be642078210fdf4e3f1b51b https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35222 Resource.aspx Reflected Cross-Site Scripting Vulnerability. This vulnerability allows attackers to impersonate users and perform arbitrary actions on their behalf.Affected ProductsOrion Platform 2020.2.5 and earlierFixed Software ReleaseOrion Platform 2020.2.6 HF1AcknowledgmentsAlex Birnberg of Zymo Security and FireEye Thu, 15 Jul 2021 12:00:00 GMT f9aa73f794ef48af9c186088552a0abc https://www.solarwinds.com/trust-center/security-advisories/cve-2021-31217 Insecure folder permissions of the Dameware Mini Remote Control Service installation (version 12.0.1.2008) allows for privileged file deletion when a repair is initiated by the Windows Installer.Affected ProductsDameware 12.0.1.2008Fixed Software ReleaseDameware 12.2AcknowledgmentsAdriaan Schuitmaker Thu, 15 Jul 2021 12:00:00 GMT 00e172f1f407494bacc09be06937c413 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35213 An Improper Access Control Privilege Escalation Vulnerability was discovered in the User Setting of Orion Platform version 2020.2.5. It allows a guest user to elevate privileges to the Administrator using this vulnerability Thu, 15 Jul 2021 12:00:00 GMT 613f2e6447cf428489d4b6103a72d703 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35216 Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker with network access via HTTP can compromise this vulnerability can result in Remote Code Execution.Affected Products Patch Manager 2020.2.5 and earlierAffected ProductsPatch Manager 2020.2.6AcknowledgmentsJangggggg working with Trend Micro Zero Day Initiative Thu, 15 Jul 2021 12:00:00 GMT a3b638b31fb64c98964a5dfe05c2c0db https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35221 ImportAlert Improper Access Control Tampering Vulnerability. This vulnerability allows attackers to add arbitrary SMTP servers to the server configuration Thu, 15 Jul 2021 12:00:00 GMT 4669f71984c94ccf86bc98406ca726a5 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35219 This vulnerability allows attackers to impersonate users and perform arbitrary actions on their behalf.Affected ProductsOrion Platform 2020.2.5 and earlierFixed Software ReleaseOrion Platform 2020.2.6 HF1AcknowledgmentsAlex Birnberg of Zymo Security and FireEye Thu, 15 Jul 2021 12:00:00 GMT e4b3802501e34a9daf8c60fb483f8177 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35220 EmailWebPage Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary commands on affected installations of SolarWinds Orion Platform Thu, 15 Jul 2021 12:00:00 GMT 3611d02311974bbc971c5fd4438ca9d4 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35218 Chart Endpoint Deserialization of Untrusted Data RCE.Affected ProductsPatch Manager 2020.2.5 and earlierFixed Software ReleasePatch Manager 2020.2.6AcknowledgmentsJangggggg via Trend Micro Zero Day Initiative Thu, 15 Jul 2021 12:00:00 GMT 1b0486a77b614dcc9b840a1206aadb98 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35212 An SQL injection Privilege Escalation Vulnerability was discovered in the Orion Platform reported by the ZDITeam. A blind Boolean SQL injection which could lead to full read/write over the Orion database contentincluding the Orion certificate for any authenticated user.Affected ProductsOrion 2019.2Orion 2019.4Orion 2020.2.1Orion 2020.2.4Orion 2020.2.5Fixed Software ReleaseOrion 2020.2.5 HF1Orion 2020.2.6Orion 2019.4.2Orion 2019.2 HF4AcknowledgmentsChudy working with Trend Micro Zero Day Initiative Thu, 15 Jul 2021 12:00:00 GMT 783863f4b7a041f4809f84a39d0c104d https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35215 Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.Affected ProductsOrion Platform 2020.2.5 and earlierFixed Software ReleaseOrion Platform 2020.2.6AcknowledgmentsJangggggg working with Trend Micro Zero Day Initiative Thu, 15 Jul 2021 12:00:00 GMT 887c5aed5f5543a79eff555b8acf15ff https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35211 CVE-2021-35211 Fri, 09 Jul 2021 12:00:00 GMT 031b1403eb354166afdb41c680cebac2 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-28674 Access control based vulnerability which allows an authenticated Orion user with node management rights from Group A delete nodes from Group B.Affected Products Orion Platform 2019.4 and earlierFixed Software ReleaseOrion Platform 2020.2.6Orion Platform 2020.2.5 HF1AcknowledgmentsCyber Factory, ENEDIS Enedis Thu, 13 May 2021 12:00:00 GMT e55b477f6f9a4691bfd05c9c88ee003c https://www.solarwinds.com/trust-center/security-advisories/cve-2021-32604 SolarWinds Serv-U FTP Server versions through to 15.2.2.573 do not correctly sanitise andvalidate the user-supplied 'SenderEmail' parameter, allowing malicious JavaScript to be injected into apublicly shareable URL, when the supplied URL is reached the XSS payload is triggered.Affected ProductsServ-U 15.2.2 and earlierFixed Software ReleaseServ-U 15.2.3AcknowledgmentsTrustwave to Victor Kahan of Trustwave Wed, 05 May 2021 12:00:00 GMT 5d6effb057004e35a9fc8755bfeac43e https://www.solarwinds.com/trust-center/security-advisories/cve-2021-31475 The vulnerability can be used to achieve authenticated RCE as Administrator. In order to exploit this, an attacker first needs to know the credentials of an unprivileged local account on the Orion Server.Affected ProductsOrion Platform 2020.2.1 HF2 and earlierFixed Software ReleaseOrion Platform 2020.2.5AcknowledgmentsHarrison NealZDI Trend Micro Thu, 25 Mar 2021 12:00:00 GMT 87e3056ee7824afaa412387e80c13599 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-27258 This vulnerability allows remote attackers to execute escalate privileges on affected installations of SolarWinds Orion Platform 2020.2. Authentication is not required to exploit this vulnerability Thu, 25 Mar 2021 12:00:00 GMT 695ae45c35b749279c5307ad015c1d6d https://www.solarwinds.com/trust-center/security-advisories/cve-2021-3109 The custom menu item options page in SolarWinds Orion Platform before 2020.2.5 allows Reverse Tabnabbing in the context of an administrator account.Affected ProductsOrion Platform versions 2020.2.4 and earlierFixed Software ReleaseOrion Platform 2020.2.5AcknowledgmentsJhon Jaro Thu, 25 Mar 2021 12:00:00 GMT 99e44a0d2d6e48abab8416e04afe884e https://www.solarwinds.com/trust-center/security-advisories/cve-2021-31474 This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is required to exploit this vulnerability Thu, 25 Mar 2021 12:00:00 GMT 4f592b7f3c2043e9bab9bdb2e40bb684 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-27277 This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Orion Virtual Infrastructure Monitor 2020.2. An attacker must first obtain the ability to execute low-privileged code on the target system to exploit this vulnerability Thu, 25 Mar 2021 12:00:00 GMT 2240f0ce6aba4a59951388030bb78f34 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-25275 SolarWinds Orion Platform versions before 2020.2.4, as used by various SolarWinds products, installs and uses a SQL Server back end, and stores database credentials to access this back end in a file readable by unprivileged users. As a result, any user having access to the filesystem can read database login details from that file, including the login name and its associated password Fri, 05 Feb 2021 12:00:00 GMT d1b4b357895a477880730e3272753f6a https://www.solarwinds.com/trust-center/security-advisories/cve-2021-25274 The Collector Service in SolarWinds Orion Platform versions before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process Fri, 05 Feb 2021 12:00:00 GMT 08dccccebacf4e10aa1b1a4055fc98e1 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-25276 In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files (that include users' password hashes) that is world readable and writable. An unprivileged Windows user (having access to the server's filesystem) can add an FTP user by copying a valid profile file to this directory Mon, 18 Jan 2021 12:00:00 GMT 19f10641f4e049a3adc95ced7c774ec7 https://www.solarwinds.com/trust-center/security-advisories/cve-2021-27240 This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds PatchManager 2020.2.1. An attacker must first obtain the ability to execute low-privileged code on the target systemto exploit this vulnerability Tue, 15 Dec 2020 12:00:00 GMT bab8b86ea1f142b6a102e0b2f0405b71 https://www.solarwinds.com/trust-center/security-advisories/cve-2025-26393 SolarWinds Service Desk is affected by a vulnerability where unauthorized authenticated requesters can override ticket states, potentially redirecting ticket flows and changing process behavior. 718d29306d9044cd90025b3ef2673562 https://www.solarwinds.com/trust-center/security-advisories/cve-2022-2274 SolarWinds made aware of the OpenSSL security advisory published on July 5, 2022. The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions