CVE-2021-27240 is a vulnerability in SolarWinds Patch Manager
Published on March 29, 2021
This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the DataGridService WCF service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of Administrator. Was ZDI-CAN-12009.
Weakness Type
What is a Marshaling, Unmarshaling Vulnerability?
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
CVE-2021-27240 has been classified to as a Marshaling, Unmarshaling vulnerability or weakness.
Products Associated with CVE-2021-27240
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2021-27240 are published in SolarWinds Patch Manager:
Affected Versions
SolarWinds Patch Manager Version 2020.2.1 is affected by CVE-2021-27240Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.