SolarWinds has issued an urgent security advisory regarding multiple critical vulnerabilities discovered in its Access Rights Manager product. These flaws expose organizations to a range of severe threats, including unauthorized access, data breaches, and potentially complete system takeover.
The flaws were discovered and reported by researchers working with Trend Micro’s Zero Day Initiative ZDI.
Organization utilizing SolarWinds Access Rights Manager is at risk and the company stated it has not received reports of these vulnerabilities being exploited in the wild.
SolarWinds has released Access Rights Manager 2024.3, which includes patches for all identified vulnerabilities. All organizations must use ARM update to this version immediately to protect their systems and data.
Vulnerabilities Summary
| CVE ID | CVSS Score | Description |
| CVE-2024-23475 | 9.6 | Directory traversal and information disclosure vulnerability allow unauthenticated users to delete arbitrary files and access sensitive information. |
| CVE-2024-23469 | 9.6 | Remote code execution (RCE vulnerability that permits unauthenticated users to execute commands with SYSTEM privileges. |
| CVE-2024-23472 | 9.6 | Directory traversal vulnerability enabling authenticated users to read and delete files arbitrarily. |
| CVE-2024-23466 | 9.6 | RCE vulnerability due to directory traversal, enabling unauthenticated users to perform actions with SYSTEM privileges. |
| CVE-2024-23471 | 9.6 | RCE vulnerability enabling authenticated users to abuse a SolarWinds service for remote code execution. |
| CVE-2024-23470 | 9.6 | Pre-authentication RCE vulnerability allowing unauthenticated users to run commands and executables. |
| CVE-2024-28074 | 9.6 | Deserialization RCE vulnerability, a previously identified flaw that was not completely fixed, allowing exploitation via a different method. |
| CVE-2024-23467 | 9.6 | RCE vulnerability allowing unauthenticated remote code execution. |
| CVE-2024-23465 | 8.3 | Authentication bypass flaw allows unauthenticated users to gain domain admin access within Active Directory environments. |
| CVE-2024-28993 | 7.6 | Directory traversal and information disclosure vulnerability allowing arbitrary file deletion and leakage of sensitive data. |
| CVE-2024-28992 | 7.6 | Arbitrary file deletion and information leakage. |
| CVE-2024-23474 | 7.6 | Directory traversal vulnerability resulting in arbitrary file deletion and information disclosure. |
| CVE-2024-23468 | 7.6 | Directory traversal and information disclosure vulnerability allowing unauthorized file deletion and data leakage. |
