Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in SolarWinds Access Rights Manager (ARM) Product
Alerts

Critical Vulnerabilities in SolarWinds Access Rights Manager (ARM) Product

19 July 2024

SolarWinds has released security updates to address critical vulnerabilities (CVE-2024-23466, CVE-2024-23467, CVE-2024-23469, CVE-2024-23470, CVE-2024-23471, CVE-2024-23472, CVE-2024-28074 and CVE-2024-23475) in their Access Rights Manager (ARM) product. These vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.6 out of 10. 

The critical vulnerabilities are: 

  • CVE-2024-23466: A directory traversal vulnerability that may allow an unauthenticated user to perform actions with SYSTEM privileges. 

  • CVE-2024-23467: A directory traversal and information disclosure vulnerability that may allow an unauthenticated user to perform remote code execution.

  • CVE-2024-23469: An exposed dangerous method vulnerability that may allow an unauthenticated user to perform remote code execution with SYSTEM privileges. 

  • CVE-2024-23470: A pre-authentication remote code execution vulnerability that may allow unauthenticated users to run commands and executables.

  • CVE-2024-23471: A createfile directory traversal vulnerability that may allow authenticated users to abuse a SolarWinds service for remote code execution.

  • CVE-2024-23472: An directory traversal vulnerability that may allow an authenticated user to arbitrary read and delete files.

  • CVE-2024-28074: An internal deserialisation vulnerability that may allow an unauthenticated user to execute code or commands with SYSTEM privileges.

  • CVE-2024-23475: An directory traversal vulnerability that may allow an unauthenticated user to perform arbitrary file deletion and obtain sensitive information after accessing files or folders outside of restricted directories.

The vulnerabilities affect SolarWinds ARM versions 2023.2.4 and earlier. 

Users and administrators of affected product versions are advised to update to the latest version immediately.

More information is available here: 

https://www.solarwinds.com/trust-center/security-advisories
https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2024-3_release_notes.htm
https://www.bleepingcomputer.com/news/security/solarwinds-fixes-8-critical-bugs-in-access-rights-audit-software/

Back to top