Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in SolarWinds ARM Product
Alerts

Critical Vulnerabilities in SolarWinds ARM Product

21 October 2023

SolarWinds has released security updates to address critical vulnerabilities (CVE-2023-35182, CVE-2023-35185 and CVE-2023-35187) in their Access Rights Manager (ARM) product. 

The critical vulnerabilities are: 

• CVE-2023-35182: A deserialisation of untrusted data vulnerability in the ‘createGlobalServerChannelInternal’ method could allow unauthenticated attackers on the SolarWinds ARM Server to perform remote code execution. 

• CVE-2023-35185: A directory traversal vulnerability due to a lack of validation of user-supplied paths in the ‘OpenFile’ method could allow unauthenticated attackers to perform remote code execution using SYSTEM privileges. 

• CVE-2023-35187: A directory traversal vulnerability due to lack of validation of user-supplied paths in the ‘OpenClientUpdateFile’ method could allow unauthenticated attackers to perform remote code execution using SYSTEM privileges. 

The vulnerabilities affect SolarWinds ARM versions 2023.2 and earlier. 

Users and administrators of affected product versions are advised to update to the latest version immediately. 

More information is available here: 

https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm

https://www.bleepingcomputer.com/news/security/critical-rce-flaws-found-in-solarwinds-access-audit-solution/

https://www.darkreading.com/vulnerabilities-threats/critical-solarwinds-rce-bugs-enable-unauthorized-network-takeover


Back to top