SolarWinds IT Management Software and Remote Monitoring Tools
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any SolarWinds product.
Products by SolarWinds Sorted by Most Security Vulnerabilities since 2018
Known Exploited SolarWinds Vulnerabilities
The following SolarWinds vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| SolarWinds Web Help Desk Hardcoded Credential Vulnerability |
SolarWinds Web Help Desk contains a hardcoded credential vulnerability that could allow a remote, unauthenticated user to access internal functionality and modify data. CVE-2024-28987 Exploit Probability: 94.0% |
October 15, 2024 |
| SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability |
SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could allow for remote code execution. CVE-2024-28986 Exploit Probability: 45.9% |
August 15, 2024 |
| SolarWinds Serv-U Path Traversal Vulnerability |
SolarWinds Serv-U contains a path traversal vulnerability that allows an attacker access to read sensitive files on the host machine. CVE-2024-28995 Exploit Probability: 94.3% |
July 17, 2024 |
| SolarWinds Serv-U Improper Input Validation Vulnerability |
SolarWinds Serv-U versions 15.2.5 and earlier contain an improper input validation vulnerability which allows attackers to build and send queries without sanitization. CVE-2021-35247 Exploit Probability: 4.3% |
January 21, 2022 |
| SolarWinds Orion API Authentication Bypass Vulnerability |
The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected. CVE-2020-10148 Exploit Probability: 94.3% |
November 3, 2021 |
| SolarWinds Serv-U Remote Memory Escape Vulnerability |
Microsoft discovered a remote code execution (RCE) vulnerability in the SolarWinds Serv-U product utilizing a Remote Memory Escape Vulnerability. CVE-2021-35211 Exploit Probability: 94.1% |
November 3, 2021 |
| SolarWinds Virtualization Manager Privilege Escalation Vulnerability |
SolarWinds Virtualization Manager 6.3.1 and earlier allow local users to gain privileges by leveraging a misconfiguration of sudo, as demonstrated by "sudo cat /etc/passwd." CVE-2016-3643 Exploit Probability: 7.0% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 4 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. The vulnerability CVE-2024-28986: SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.
By the Year
In 2025 there have been 4 vulnerabilities in SolarWinds with an average score of 5.9 out of ten. Last year, in 2024 SolarWinds had 44 security vulnerabilities published. Right now, SolarWinds is on track to have less security vulnerabilities in 2025 than it did last year. Last year, the average CVE base score was greater by 2.27
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2025 | 4 | 5.90 |
| 2024 | 44 | 8.17 |
| 2023 | 47 | 7.38 |
| 2022 | 24 | 6.58 |
| 2021 | 50 | 6.99 |
| 2020 | 29 | 7.08 |
| 2019 | 14 | 7.51 |
| 2018 | 5 | 8.10 |
It may take a day or so for new SolarWinds vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SolarWinds Security Vulnerabilities
SolarWinds Web Help Desk was found to have a hardcoded cryptographic key
CVE-2024-28989
5.5 - Medium
- February 11, 2025
SolarWinds Web Help Desk was found to have a hardcoded cryptographic key that could allow the disclosure of sensitive information from the software.
Use of Hard-coded Credentials
SolarWinds Platform is affected by server-side request forgery vulnerability
CVE-2024-52606
9.8 - Critical
- February 11, 2025
SolarWinds Platform is affected by server-side request forgery vulnerability. Proper input sanitation was not applied allowing for the possibility of a malicious web request.
SSRF
The SolarWinds Platform is vulnerable to an information disclosure vulnerability through an error message
CVE-2024-52611
3.5 - Low
- February 11, 2025
The SolarWinds Platform is vulnerable to an information disclosure vulnerability through an error message. While the data does not provide anything sensitive, the information could assist an attacker in other malicious actions.
Generation of Error Message Containing Sensitive Information
SolarWinds Platform is vulnerable to a reflected cross-site scripting vulnerability
CVE-2024-52612
4.8 - Medium
- February 11, 2025
SolarWinds Platform is vulnerable to a reflected cross-site scripting vulnerability. This was caused by an insufficient sanitation of input parameters. This vulnerability requires authentication by a high- privileged account to be exploitable.
XSS
SolarWinds Web Help Desk Local File Read Vulnerability in Development/Test Mode
CVE-2024-45709
5.5 - Medium
- December 10, 2024
SolarWinds Web Help Desk was susceptible to a local file read vulnerability. This vulnerability requires the software be installed on Linux and configured to use non-default development/test mode making exposure to the vulnerability very limited.
Directory traversal
SolarWinds Platform: Authenticated Stored XSS in Search and Node Information UI
CVE-2024-45717
4.8 - Medium
- December 04, 2024
The SolarWinds Platform was susceptible to a XSS vulnerability that affects the search and node information section of the user interface. This vulnerability requires authentication and requires user interaction.
XSS
SolarWinds Kiwi CatTools is susceptible to a sensitive data disclosure vulnerability when a non-default setting has been enabled for troubleshooting purposes.
CVE-2024-45713
4.4 - Medium
- October 17, 2024
SolarWinds Kiwi CatTools is susceptible to a sensitive data disclosure vulnerability when a non-default setting has been enabled for troubleshooting purposes.
Generation of Error Message Containing Sensitive Information
Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users permissions
CVE-2024-45714
4.1 - Medium
- October 16, 2024
Application is vulnerable to Cross Site Scripting (XSS) an authenticated attacker with users permissions can modify a variable with a payload.
XSS
The SolarWinds Platform was susceptible to a Cross-Site Scripting vulnerability when performing an edit function to existing elements.
CVE-2024-45715
6.1 - Medium
- October 16, 2024
The SolarWinds Platform was susceptible to a Cross-Site Scripting vulnerability when performing an edit function to existing elements.
XSS
SolarWinds Platform is susceptible to an Uncontrolled Search Path Element Local Privilege Escalation vulnerability
CVE-2024-45710
7.8 - High
- October 16, 2024
SolarWinds Platform is susceptible to an Uncontrolled Search Path Element Local Privilege Escalation vulnerability. This requires a low privilege account and local access to the affected node machine.
DLL preloading
SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user
CVE-2024-45711
8.8 - High
- October 16, 2024
SolarWinds Serv-U is vulnerable to a directory traversal vulnerability where remote code execution is possible depending on privileges given to the authenticated user. This issue requires a user to be authenticated and this is present when software environment variables are abused. Authentication is required for this vulnerability
Directory traversal
SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability
CVE-2024-28990
9.8 - Critical
- September 12, 2024
SolarWinds Access Rights Manager (ARM) was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability would allow access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
Use of Hard-coded Credentials
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability
CVE-2024-28991
8.8 - High
- September 12, 2024
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.
Marshaling, Unmarshaling
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability
CVE-2024-28987
9.1 - Critical
- August 21, 2024
The SolarWinds Web Help Desk (WHD) software is affected by a hardcoded credential vulnerability, allowing remote unauthenticated user to access internal functionality and modify data.
Use of Hard-coded Credentials
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability
CVE-2024-28986
9.8 - Critical
- August 13, 2024
SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing. However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.
Marshaling, Unmarshaling
The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability
CVE-2024-23465
9.8 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was found to be susceptible to an authentication bypass vulnerability. This vulnerability allows an unauthenticated user to gain domain admin access within the Active Directory environment.
authentification
The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability
CVE-2024-23470
9.8 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was found to be susceptible to a pre-authentication remote code execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to run commands and executables.
authentification
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability
CVE-2024-23471
9.8 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.
authentification
The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.
CVE-2024-23474
9.8 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was found to be susceptible to an Arbitrary File Deletion and Information Disclosure vulnerability.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability
CVE-2024-23475
9.8 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
Directory traversal
It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager
CVE-2024-28074
9.8 - Critical
- July 17, 2024
It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.
Marshaling, Unmarshaling
SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability
CVE-2024-23469
9.8 - Critical
- July 17, 2024
SolarWinds Access Rights Manager (ARM) is susceptible to a Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.
Improper Input Validation
SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability
CVE-2024-23466
9.8 - Critical
- July 17, 2024
SolarWinds Access Rights Manager (ARM) is susceptible to a Directory Traversal Remote Code Execution vulnerability. If exploited, this vulnerability allows an unauthenticated user to perform the actions with SYSTEM privileges.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability
CVE-2024-23467
9.8 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform remote code execution.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability
CVE-2024-23468
9.4 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
Directory traversal
SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability
CVE-2024-23472
8.8 - High
- July 17, 2024
SolarWinds Access Rights Manager (ARM) is susceptible to Directory Traversal vulnerability. This vulnerability allows an authenticated user to arbitrary read and delete files in ARM.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability
CVE-2024-28992
9.4 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability
CVE-2024-28993
9.4 - Critical
- July 17, 2024
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal and Information Disclosure Vulnerability. This vulnerability allows an unauthenticated user to perform arbitrary file deletion and leak sensitive information.
Directory traversal
SolarWinds Serv-U was susceptible to a directory transversal vulnerability
CVE-2024-28995
7.5 - High
- June 06, 2024
SolarWinds Serv-U was susceptible to a directory transversal vulnerability that would allow access to read sensitive files on the host machine.
Directory traversal
The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.
CVE-2024-28999
8.1 - High
- June 04, 2024
The SolarWinds Platform was determined to be affected by a Race Condition Vulnerability affecting the web console.
Race Condition
The SolarWinds Platform was determined to be affected by a stored cross-site scripting vulnerability affecting the web console
CVE-2024-29004
4.8 - Medium
- June 04, 2024
The SolarWinds Platform was determined to be affected by a stored cross-site scripting vulnerability affecting the web console. A high-privileged user and user interaction is required to exploit this vulnerability.
XSS
The SolarWinds Platform was determined to be affected by a SWQL Injection Vulnerability
CVE-2024-28996
8.1 - High
- June 04, 2024
The SolarWinds Platform was determined to be affected by a SWQL Injection Vulnerability. Attack complexity is high for this vulnerability.
SQL Injection
The SolarWinds Platform was determined to be affected by a reflected cross-site scripting vulnerability affecting the web console
CVE-2024-29000
4.8 - Medium
- May 20, 2024
The SolarWinds Platform was determined to be affected by a reflected cross-site scripting vulnerability affecting the web console. A high-privileged user and user interaction is required to exploit this vulnerability.
XSS
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability
CVE-2024-28075
8.8 - High
- May 14, 2024
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
Marshaling, Unmarshaling
The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability
CVE-2024-23473
9.8 - Critical
- May 14, 2024
The SolarWinds Access Rights Manager was found to contain a hard-coded credential authentication bypass vulnerability. If exploited, this vulnerability allows access to the RabbitMQ management console. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.
Use of Hard-coded Credentials
A highly privileged account can overwrite arbitrary files on the system with log output
CVE-2024-28072
4.9 - Medium
- May 03, 2024
A highly privileged account can overwrite arbitrary files on the system with log output. The log file path tags were not sanitized properly.
Insertion of Sensitive Information into Log File
The SolarWinds Platform was susceptible to a XSS vulnerability that affects the maps section of the user interface
CVE-2024-29003
5.4 - Medium
- April 18, 2024
The SolarWinds Platform was susceptible to a XSS vulnerability that affects the maps section of the user interface. This vulnerability requires authentication and requires user interaction.
XSS
The SolarWinds Platform was susceptible to a Arbitrary Open Redirection Vulnerability
CVE-2024-28076
4.7 - Medium
- April 18, 2024
The SolarWinds Platform was susceptible to a Arbitrary Open Redirection Vulnerability. A potential attacker can redirect to different domain when using URL parameter with relative entry in the correct format
Open Redirect
A SolarWinds Platform SWQL Injection Vulnerability was identified in the user interface
CVE-2024-29001
8 - High
- April 18, 2024
A SolarWinds Platform SWQL Injection Vulnerability was identified in the user interface. This vulnerability requires authentication and user interaction to be exploited.
SQL Injection
SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability
CVE-2024-28073
7.2 - High
- April 17, 2024
SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited.
Directory traversal
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability
CVE-2024-0692
9.8 - Critical
- March 01, 2024
The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds service, resulting in remote code execution.
Marshaling, Unmarshaling
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability
CVE-2023-40057
9 - Critical
- February 15, 2024
The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.
Marshaling, Unmarshaling
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability
CVE-2024-23476
9.6 - Critical
- February 15, 2024
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
Directory traversal
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability
CVE-2024-23477
9.6 - Critical
- February 15, 2024
The SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.
Directory traversal
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability
CVE-2024-23478
8 - High
- February 15, 2024
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.
Marshaling, Unmarshaling
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability
CVE-2024-23479
9.6 - Critical
- February 15, 2024
SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Directory Traversal Remote Code Execution Vulnerability. If exploited, this vulnerability allows an unauthenticated user to achieve a Remote Code Execution.
Directory traversal
SQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform
CVE-2023-35188
8.8 - High
- February 06, 2024
SQL Injection Remote Code Execution Vulnerability was found using a create statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited.
SQL Injection
SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform
CVE-2023-50395
8.8 - High
- February 06, 2024
SQL Injection Remote Code Execution Vulnerability was found using an update statement in the SolarWinds Platform. This vulnerability requires user authentication to be exploited
SQL Injection
Sensitive data was added to our public-facing knowledgebase
CVE-2023-40058
6.5 - Medium
- December 21, 2023
Sensitive data was added to our public-facing knowledgebase that, if exploited, could be used to access components of Access Rights Manager (ARM) if the threat actor is in the same environment.
A vulnerability has been identified within Serv-U 15.4
CVE-2023-40053
5 - Medium
- December 06, 2023
A vulnerability has been identified within Serv-U 15.4 that allows an authenticated actor to insert content on the file share function feature of Serv-U, which could be used maliciously.
SQL Injection Remote Code Vulnerability was found in the SolarWinds
Platform
CVE-2023-40056
8.8 - High
- November 28, 2023
SQL Injection Remote Code Vulnerability was found in the SolarWinds Platform. This vulnerability can be exploited with a low privileged account.
SQL Injection
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability
CVE-2023-40054
8.8 - High
- November 09, 2023
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33226
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability
CVE-2023-40055
8.8 - High
- November 09, 2023
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges. We found this issue was not resolved in CVE-2023-33227
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability
CVE-2023-33226
8.8 - High
- November 01, 2023
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows a low-level user to perform the actions with SYSTEM privileges.
Directory traversal
SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability
CVE-2023-40062
8.8 - High
- November 01, 2023
SolarWinds Platform Incomplete List of Disallowed Inputs Remote Code Execution Vulnerability. If executed, this vulnerability would allow a low-privileged user to execute commands with SYSTEM privileges.
Improper Input Validation
Insecure
job execution mechanism vulnerability
CVE-2023-40061
8.8 - High
- November 01, 2023
Insecure job execution mechanism vulnerability. This vulnerability can lead to other attacks as a result.
Improper Input Validation
The SolarWinds Network Configuration Manager was susceptible to the Exposure of Sensitive Information Vulnerability
CVE-2023-33228
4.9 - Medium
- November 01, 2023
The SolarWinds Network Configuration Manager was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to obtain sensitive information.
Missing Encryption of Sensitive Data
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability
CVE-2023-33227
8.8 - High
- November 01, 2023
The Network Configuration Manager was susceptible to a Directory Traversal Remote Code Execution Vulnerability This vulnerability allows a low level user to perform the actions with SYSTEM privileges.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
CVE-2023-35185
6.8 - Medium
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability
CVE-2023-35181
7.8 - High
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows users to abuse incorrect folder permission resulting in Privilege Escalation.
Incorrect Default Permissions
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability
CVE-2023-35182
9.8 - Critical
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.
Marshaling, Unmarshaling
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability
CVE-2023-35183
7.8 - High
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to Privilege Escalation Vulnerability. This vulnerability allows authenticated users to abuse local resources to Privilege Escalation.
Incorrect Default Permissions
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability
CVE-2023-35184
9.8 - Critical
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.
Marshaling, Unmarshaling
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability
CVE-2023-35186
8.8 - High
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.
Marshaling, Unmarshaling
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability
CVE-2023-35187
9.8 - Critical
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability allows an unauthenticated user to achieve the Remote Code Execution.
Directory traversal
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability
CVE-2023-35180
8.8 - High
- October 19, 2023
The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.
Marshaling, Unmarshaling
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability
CVE-2023-23840
7.2 - High
- September 13, 2023
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.
Incorrect Comparison
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability
CVE-2023-23845
7.2 - High
- September 13, 2023
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.
Incorrect Comparison
A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1
CVE-2023-40060
7.2 - High
- September 07, 2023
A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4. SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1.
Authorization
A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication
CVE-2023-35179
7.2 - High
- August 11, 2023
A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action.
Authorization
Access Control Bypass Vulnerability in the SolarWinds Platform
CVE-2023-3622
4.3 - Medium
- July 26, 2023
Access Control Bypass Vulnerability in the SolarWinds Platform that allows an underprivileged user to read arbitrary resource
authentification
The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability
CVE-2023-23842
7.2 - High
- July 26, 2023
The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.
Directory traversal
The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability
CVE-2023-33229
3.5 - Low
- July 26, 2023
The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML.
Code Injection
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability
CVE-2023-33225
7.2 - High
- July 26, 2023
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.
Incorrect Comparison
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability
CVE-2023-23843
7.2 - High
- July 26, 2023
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.
Incorrect Comparison
The SolarWinds Platform was susceptible to the Incorrect Behavior Order Vulnerability
CVE-2023-33224
7.2 - High
- July 26, 2023
The SolarWinds Platform was susceptible to the Incorrect Behavior Order Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability
CVE-2023-23844
7.2 - High
- July 26, 2023
The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.
Incorrect Comparison
XSS attack was possible in DPA 2023.2 due to insufficient input validation
CVE-2023-33231
6.1 - Medium
- July 18, 2023
XSS attack was possible in DPA 2023.2 due to insufficient input validation
XSS
SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request
CVE-2023-23841
7.5 - High
- June 15, 2023
SolarWinds Serv-U is submitting an HTTP request when changing or updating the attributes for File Share or File request.? Part of the URL of the request discloses sensitive data.
Cleartext Transmission of Sensitive Information
The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability
CVE-2023-23839
6.5 - Medium
- April 25, 2023
The SolarWinds Platform was susceptible to the Exposure of Sensitive Information Vulnerability. This vulnerability allows users to access Orion.WebCommunityStrings SWIS schema object and obtain sensitive information.
Directory traversal and file enumeration vulnerability which
CVE-2023-23838
6.5 - Medium
- April 25, 2023
Directory traversal and file enumeration vulnerability which allowed users to enumerate to different folders of the server.
Directory traversal
No exception handling vulnerability
CVE-2023-23837
7.5 - High
- April 25, 2023
No exception handling vulnerability which revealed sensitive or excessive information to users.
Improper Handling of Exceptional Conditions
The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability
CVE-2022-47509
6.1 - Medium
- April 21, 2023
The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject HTML.
XSS
The SolarWinds Platform was susceptible to the Command Injection Vulnerability
CVE-2022-36963
7.2 - High
- April 21, 2023
The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.
Code Injection
The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability
CVE-2022-47505
7.8 - High
- April 21, 2023
The SolarWinds Platform was susceptible to the Local Privilege Escalation Vulnerability. This vulnerability allows a local adversary with a valid system user account to escalate local privileges.
Improper Privilege Management
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data
CVE-2022-38111
7.2 - High
- February 15, 2023
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Marshaling, Unmarshaling
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data
CVE-2022-47503
7.2 - High
- February 15, 2023
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Marshaling, Unmarshaling
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data
CVE-2022-47504
7.2 - High
- February 15, 2023
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Marshaling, Unmarshaling
SolarWinds Platform was susceptible to the Directory Traversal Vulnerability
CVE-2022-47506
7.8 - High
- February 15, 2023
SolarWinds Platform was susceptible to the Directory Traversal Vulnerability. This vulnerability allows a local adversary with authenticated account access to edit the default configuration, enabling the execution of arbitrary commands.
Directory traversal
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data
CVE-2022-47507
7.2 - High
- February 15, 2023
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
Marshaling, Unmarshaling
Customers who had configured their polling to occur
CVE-2022-47508
7.5 - High
- February 15, 2023
Customers who had configured their polling to occur via Kerberos did not expect NTLM Traffic on their environment, but since we were querying for data via IP address this prevented us from utilizing Kerberos.
SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data
CVE-2023-23836
7.2 - High
- February 15, 2023
SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands.
Marshaling, Unmarshaling
Use of uninitialized variable in function gen_eth_recv in GNS3 dynamips 0.2.21.
CVE-2022-47012
7.5 - High
- January 20, 2023
Use of uninitialized variable in function gen_eth_recv in GNS3 dynamips 0.2.21.
Use of Uninitialized Resource
In DPA 2022.4 and older releases
CVE-2022-38112
7.5 - High
- January 20, 2023
In DPA 2022.4 and older releases, generated heap memory dumps contain sensitive information in cleartext.
Cleartext Storage of Sensitive Information
In Database Performance Analyzer (DPA) 2022.4 and older releases
CVE-2022-38110
5.4 - Medium
- January 20, 2023
In Database Performance Analyzer (DPA) 2022.4 and older releases, certain URL vectors are susceptible to authenticated reflected cross-site scripting.
XSS
Sensitive information was stored in plain text in a file
CVE-2022-47512
5.5 - Medium
- December 19, 2022
Sensitive information was stored in plain text in a file that is accessible by a user with a local account in Hybrid Cloud Observability (HCO)/ SolarWinds Platform 2022.4. No other versions are affected
Cleartext Storage of Sensitive Information
This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1
CVE-2022-38106
5.4 - Medium
- December 16, 2022
This vulnerability happens in the web client versions 15.3.0 to Serv-U 15.3.1. This vulnerability affects the directory creation function.
XSS
Common encryption key appears to be used across all deployed instances of Serv-U FTP Server
CVE-2021-35252
7.5 - High
- December 16, 2022
Common encryption key appears to be used across all deployed instances of Serv-U FTP Server. Because of this an encrypted value that is exposed to an attacker can be simply recovered to plaintext.
authentification
SolarWinds Platform was susceptible to Improper Input Validation
CVE-2022-36960
8.8 - High
- November 29, 2022
SolarWinds Platform was susceptible to Improper Input Validation. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to escalate user privileges.
authentification
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data
CVE-2022-36964
8.8 - High
- November 29, 2022
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.
Marshaling, Unmarshaling