SolarWinds has released patches for two security vulnerabilities in its Access Rights Manager (ARM) software, including a critical flaw that could lead to remote code execution (RCE).
The flaw, tracked as CVE-2024-28991, received a CVSS score of 9.0 out of 10 and is described as a deserialization of untrusted data issue. "If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution," SolarWinds said in its advisory.
Discovered and reported by Piotr Bazydlo of Trend Micro Zero Day Initiative (ZDI) on May 24, 2024, the RCE vulnerability exists within the class JsonSerializationBinder, where insufficient validation of user-supplied data could expose ARM devices to deserialization attacks, enabling arbitrary code execution.
While authentication is needed to exploit this vulnerability, ZDI highlighted that the authentication mechanism can be bypassed, making the flaw even more dangerous. ZDI rated the flaw with a CVSS score of 9.9, emphasizing its severity.
Additionally, SolarWinds addressed a medium-severity flaw (CVE-2024-28990, CVSS score: 6.3) in ARM, which involved a hard-coded credential that could allow unauthorized access to the RabbitMQ management console.
Both vulnerabilities have been patched in ARM version 2024.3.1. Though there’s no evidence of active exploitation, users are strongly advised to update to the latest version to protect their systems from potential threats.
This update from SolarWinds follows a similar action from D-Link, which recently patched three critical vulnerabilities in its routers (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697), preventing remote execution of arbitrary code and system commands.