Critical Vulnerabilities in SolarWinds ARM Product

Published on 19 Feb 2024

SolarWinds has released security updates to address critical vulnerabilities (CVE-2023-40057, CVE-2024-23476 and CVE-2024-23479) impacting their Access Rights Manager (ARM) product.

The critical vulnerabilities are:

CVE-2023-40057: Successful exploitation of the input validation vulnerability may allow an authenticated attacker to abuse a SolarWinds service to perform remote code execution

CVE-2024-23476: Successful exploitation of the directory traversal vulnerability may allow an unauthenticated attacker to perform remote code execution

CVE-2024-23479: Successful exploitation of the directory traversal vulnerability may allow an unauthenticated attacker to perform remote code execution

The vulnerabilities affect SolarWinds ARM versions 2023.2 and earlier.

Users and administrators of affected product versions are advised to update to the latest version immediately.

More information is available here:

https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-3_release_notes.htm

https://www.bleepingcomputer.com/news/security/solarwinds-fixes-critical-rce-bugs-in-access-rights-audit-solution/