SolarWinds Access Rights Manager (ARM) Internal Deserialization Remote Code Execution Vulnerability
(CVE-2024-28074)
Summary
It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.
We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
Affected Products
- SolarWinds Access Rights Manager (ARM) 2023.2.4 and prior versions
Fixed Software Release
Acknowledgments
- Anonymous working with Trend Micro Zero Day Initiative
Advisory Details
Severity
9.6 Critical
Advisory ID
First Published
07/17/2024