Five remote code execution (RCE) vulnerabilities - three of which are critical - in SolarWinds' Access Rights Manager software have been uncovered and patched.
Trend Micro’s Zero Day Initiative (ZDI) discovered and reported the flaws in the software, which offers user permissions analysis, monitoring, and logging for, among others, Exchange Online, Azure Active Directory, OneDrive, and SharePoint Online, as well as reviewing, groups, user permissions and user access to files and systems.
"If exploited, these vulnerabilities allow an unauthenticated user to achieve the Remote Code Execution," a SolarWinds’ advisory said of CVE-2024-23476 and CVE-2024-23479, two of the critical vulnerabilities (both CVSS 9.6).
One more critical vulnerability uncovered, CVE-2023-40057 (CVSS 9.0), allowed an authenticated user to abuse a SolarWinds service, resulting in remote code execution.
The other vulns in the group, CVE-2024-23477 (directory traversal bug) and CVE-2024-23478 (deserialisation bug), both had “high” severity rating and a CVSS of 7.9 and 8.0 respectively.
CVE page for each vulnerability, with affected software, remedy info, reference links and peer vulnerabilities:
CVE-2024-23476 CVE-2024-23479 CVE-2023-40057 CVE-2024-23477 CVE-2024-23478
