SolarWinds has released patches to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could lead to remote code execution.
Vulnerability, tracked as CVE-2024-28991rated 9.0 out of a maximum of 10.0 on the CVSS grading system. This has been described as an instance of untrusted data deserialization.
“SolarWinds Access Rights Manager (ARM) has been found to be vulnerable to a remote code execution vulnerability,” the company said in a statement. said in the consulting room. “If exploited, this vulnerability would allow an authenticated user to abuse the service, leading to remote code execution.”
Security researcher Piotr Bazydlo of the Trend Micro Zero Day Initiative (ZDI) discovered the flaw and reported it on May 24, 2024.
ZDI, which assigned the flaw a CVSS score of 9.9, said it exists within limits class is called JsonSerializationBinder and is caused by a lack of proper validation of user-supplied data, leaving ARM devices exposed to a deserialization vulnerability that can then be abused to execute arbitrary code.
“Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed,” ZDI notes. said.
SolarWinds has also addressed the medium severity flaw in ARM (CVE-2024-28990CVSS score: 6.3) that exposed hard-coded credentials that, if successfully exploited, could allow unauthorized access to the RabbitMQ management console.
Both issues have been fixed ARM version 2024.3.1. Although there is currently no evidence of active exploitation of the vulnerabilities, users are advised to update to the latest version as soon as possible to guard against potential threats.
The development is the same as D-Link it’s decided three critical vulnerabilities affecting routers DIR-X4860, DIR-X5460, and COVR-X1870 (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697, CVSS score: 9.8) that could allow remote execution arbitrary code and system commands.
