Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2022-47504

Summary
Assigner-SolarWinds
Assigner Org ID-49f11609-934d-4621-84e6-e02e032104d6
Published At-15 Feb, 2023 | 00:00
Updated At-18 Mar, 2025 | 19:13
Rejected At-
Credits

SolarWinds Platform Deserialization of Untrusted Data Vulnerability

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:SolarWinds
Assigner Org ID:49f11609-934d-4621-84e6-e02e032104d6
Published At:15 Feb, 2023 | 00:00
Updated At:18 Mar, 2025 | 19:13
Rejected At:
▼CVE Numbering Authority (CNA)
SolarWinds Platform Deserialization of Untrusted Data Vulnerability

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Affected Products
Vendor
SolarWinds Worldwide, LLC.SolarWinds
Product
SolarWinds Platform
Default Status
unaffected
Versions
Affected
  • From 2022.4.1 and prior versions through 2022.4.1 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-502CWE-502 Deserialization of Untrusted Data
Type: CWE
CWE ID: CWE-502
Description: CWE-502 Deserialization of Untrusted Data
Metrics
VersionBase scoreBase severityVector
3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

All SolarWinds Platform customers are advised to upgrade to the latest version of the SolarWinds Platform version 2023.1

Configurations
Workarounds
Exploits
Credits
finder
SolarWinds would like to thank Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative for reporting on the issue in a responsible manner.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
N/A
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47504
N/A
Hyperlink: https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
Resource: N/A
Hyperlink: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47504
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
x_transferred
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47504
x_transferred
Hyperlink: https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
Resource:
x_transferred
Hyperlink: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47504
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:psirt@solarwinds.com
Published At:15 Feb, 2023 | 19:15
Updated At:03 Aug, 2023 | 20:15

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Secondary3.17.2HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Primary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Type: Secondary
Version: 3.1
Base score: 7.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CPE Matches
SolarWinds Worldwide, LLC.
solarwinds
>>orion_platform>>2022.4.1
cpe:2.3:a:solarwinds:orion_platform:2022.4.1:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-502Primarynvd@nist.gov
CWE-502Secondarypsirt@solarwinds.com
CWE ID: CWE-502
Type: Primary
Source: nvd@nist.gov
CWE ID: CWE-502
Type: Secondary
Source: psirt@solarwinds.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htmpsirt@solarwinds.com
Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47504psirt@solarwinds.com
Vendor Advisory
Hyperlink: https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-1_release_notes.htm
Source: psirt@solarwinds.com
Resource:
Vendor Advisory
Hyperlink: https://www.solarwinds.com/trust-center/security-advisories/CVE-2022-47504
Source: psirt@solarwinds.com
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

177Records found
CVE-2022-47507
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.76% / 72.33%
||
7 Day CHG+0.07%
Published-15 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 19:12
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data Vulnerability

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-23836
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-37.15% / 97.04%
||
7 Day CHG~0.00%
Published-15 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 15:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data Vulnerability

SolarWinds Platform version 2022.4.1 was found to be susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to the SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-47503
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.76% / 72.33%
||
7 Day CHG+0.07%
Published-15 Feb, 2023 | 00:00
Updated-18 Mar, 2025 | 19:13
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data Vulnerability

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-38108
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-85.43% / 99.32%
||
7 Day CHG~0.00%
Published-20 Oct, 2022 | 20:11
Updated-08 May, 2025 | 16:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds PlatformOrion Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-36957
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-1.02% / 76.33%
||
7 Day CHG~0.00%
Published-20 Oct, 2022 | 20:08
Updated-05 May, 2025 | 20:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion PlatformSolarWinds Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-38111
Matching Score-10
Assigner-SolarWinds
ShareView Details
Matching Score-10
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-26.53% / 96.13%
||
7 Day CHG+1.63%
Published-15 Feb, 2023 | 00:00
Updated-19 Mar, 2025 | 19:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data Vulnerability

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-35244
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-6.8||MEDIUM
EPSS-19.20% / 95.12%
||
7 Day CHG~0.00%
Published-20 Dec, 2021 | 20:08
Updated-16 Sep, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Unrestricted File Upload Causing Remote Code Execution: Orion Platform 2020.2.6

The "Log alert to a file" action within action management enables any Orion Platform user with Orion alert management rights to write to any file. An attacker with Orion alert management rights could use this vulnerability to perform an unrestricted file upload causing a remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.Microsoft Corporation
Product-windowsorion_platformOrion Platform
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2023-40060
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.03% / 7.28%
||
7 Day CHG~0.00%
Published-07 Sep, 2023 | 15:57
Updated-27 Feb, 2025 | 20:57
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
2FA/MFA Bypass Vulnerability in Serv-U 15.4 and 15.4 Hotfix 1

A vulnerability has been identified within Serv-U 15.4 and 15.4 Hotfix 1 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 15.4.  SolarWinds found that the issue was not completely fixed in 15.4 Hotfix 1. 

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-serv-uServ-U
CWE ID-CWE-284
Improper Access Control
CVE-2023-33224
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.13% / 32.58%
||
7 Day CHG-0.11%
Published-26 Jul, 2023 | 13:53
Updated-23 Oct, 2024 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Incorrect Behavior Order Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Behavior Order Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds Platform
CWE ID-CWE-696
Incorrect Behavior Order
CVE-2023-33225
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.11% / 29.60%
||
7 Day CHG-0.10%
Published-26 Jul, 2023 | 13:46
Updated-09 Jul, 2025 | 13:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds Platform
CWE ID-CWE-697
Incorrect Comparison
CVE-2021-35220
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.1||HIGH
EPSS-1.63% / 81.13%
||
7 Day CHG~0.00%
Published-31 Aug, 2021 | 11:03
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
EmailWebPage Command Injection RCE

Command Injection vulnerability in EmailWebPage API which can lead to a Remote Code Execution (RCE) from the Alerts Settings page.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2023-23845
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-6.8||MEDIUM
EPSS-0.29% / 52.02%
||
7 Day CHG~0.00%
Published-13 Sep, 2023 | 22:07
Updated-27 Feb, 2025 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Exposed Dangerous Method Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-697
Incorrect Comparison
CVE-2023-23842
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.30% / 52.67%
||
7 Day CHG~0.00%
Published-26 Jul, 2023 | 14:53
Updated-23 Oct, 2024 | 15:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Network Configuration Manager Directory Traversal Vulnerability

The SolarWinds Network Configuration Manager was susceptible to the Directory Traversal Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-network_configuration_monitorNetwork Configuration Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-23840
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-6.8||MEDIUM
EPSS-0.29% / 52.02%
||
7 Day CHG~0.00%
Published-13 Sep, 2023 | 22:07
Updated-27 Feb, 2025 | 20:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Exposed Dangerous Method Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with NETWORK SERVICE privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-697
Incorrect Comparison
CVE-2023-23843
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.11% / 29.60%
||
7 Day CHG-0.10%
Published-26 Jul, 2023 | 13:58
Updated-23 Oct, 2024 | 15:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Incorrect Comparison Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds Platform
CWE ID-CWE-697
Incorrect Comparison
CVE-2023-23844
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.11% / 29.85%
||
7 Day CHG-0.10%
Published-26 Jul, 2023 | 13:32
Updated-23 Oct, 2024 | 15:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Incomplete List of Disallowed Inputs Vulnerability

The SolarWinds Platform was susceptible to the Incorrect Comparison Vulnerability. This vulnerability allows users with administrative access to SolarWinds Web Console to execute arbitrary commands with SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-solarwinds_platformSolarWinds Platform
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CWE ID-CWE-697
Incorrect Comparison
CVE-2022-36962
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.25% / 47.78%
||
7 Day CHG+0.05%
Published-29 Nov, 2022 | 20:46
Updated-25 Apr, 2025 | 14:42
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Command Injection

SolarWinds Platform was susceptible to Command Injection. This vulnerability allows a remote adversary with complete control over the SolarWinds database to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds PlatformOrion Platform
CWE ID-CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2020-27871
Matching Score-8
Assigner-Zero Day Initiative
ShareView Details
Matching Score-8
Assigner-Zero Day Initiative
CVSS Score-7.2||HIGH
EPSS-66.02% / 98.45%
||
7 Day CHG~0.00%
Published-10 Feb, 2021 | 22:15
Updated-04 Aug, 2024 | 16:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to create arbitrary files on affected installations of SolarWinds Orion Platform 2020.2.1. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within VulnerabilitySettings.aspx. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-11902.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-35185
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-6.8||MEDIUM
EPSS-0.15% / 36.30%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:24
Updated-15 Oct, 2024 | 18:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager OpenFile Directory Traversal Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to a Directory Traversal Remote Code Vulnerability using SYSTEM privileges.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2023-35179
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.06% / 20.06%
||
7 Day CHG~0.00%
Published-10 Aug, 2023 | 23:14
Updated-09 Oct, 2024 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
2FA/MFA Bypass Vulnerability in Serv-U 15.4

A vulnerability has been identified within Serv-U 15.4 that, if exploited, allows an actor to bypass multi-factor/two-factor authentication. The actor must have administrator-level access to Serv-U to perform this action. 

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-serv-uServ-U
CWE ID-CWE-284
Improper Access Control
CVE-2022-36963
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-7.2||HIGH
EPSS-0.53% / 66.18%
||
7 Day CHG~0.00%
Published-21 Apr, 2023 | 00:00
Updated-05 Feb, 2025 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data Vulnerability

The SolarWinds Platform was susceptible to the Command Injection Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform admin account to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds Platform
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2024-28073
Matching Score-8
Assigner-SolarWinds
ShareView Details
Matching Score-8
Assigner-SolarWinds
CVSS Score-8.4||HIGH
EPSS-0.22% / 44.71%
||
7 Day CHG~0.00%
Published-17 Apr, 2024 | 16:58
Updated-10 Feb, 2025 | 22:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Serv-U Directory Traversal Remote Code Execution Vulnerability

SolarWinds Serv-U was found to be susceptible to a Directory Traversal Remote Code Vulnerability. This vulnerability requires a highly privileged account to be exploited.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-serv-uServUserv-u
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2021-35218
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.9||HIGH
EPSS-24.71% / 95.92%
||
7 Day CHG~0.00%
Published-01 Sep, 2021 | 14:24
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Chart Endpoint Deserialization of Untrusted Data Remote Code Execution Vulnerability

Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformPatch Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-35227
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-4.7||MEDIUM
EPSS-0.71% / 71.43%
||
7 Day CHG~0.00%
Published-21 Oct, 2021 | 17:41
Updated-16 Sep, 2024 | 23:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Web Configuration for RabbitMQ Management Plugin in SolarWinds ARM

The HTTP interface was enabled for RabbitMQ Plugin in ARM 2020.2.6 and the ability to configure HTTPS was not available.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manager
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-31474
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-9.8||CRITICAL
EPSS-53.63% / 97.90%
||
7 Day CHG~0.00%
Published-21 May, 2021 | 14:40
Updated-03 Aug, 2024 | 23:03
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows remote attackers to execute arbitrary code on affected installations of SolarWinds Network Performance Monitor 2020.2.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SolarWinds.Serialization library. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-12213.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-network_performance_monitorNetwork Performance Monitor
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-27240
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-1.54% / 80.62%
||
7 Day CHG~0.00%
Published-29 Mar, 2021 | 21:05
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Patch Manager 2020.2.1. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the DataGridService WCF service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of Administrator. Was ZDI-CAN-12009.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-patch_managerPatch Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-25274
Matching Score-6
Assigner-MITRE Corporation
ShareView Details
Matching Score-6
Assigner-MITRE Corporation
CVSS Score-9.8||CRITICAL
EPSS-64.37% / 98.37%
||
7 Day CHG~0.00%
Published-03 Feb, 2021 | 16:49
Updated-03 Aug, 2024 | 19:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.

Action-Not Available
Vendor-n/aSolarWinds Worldwide, LLC.
Product-orion_platformn/a
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-0692
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-83.31% / 99.22%
||
7 Day CHG~0.00%
Published-01 Mar, 2024 | 08:55
Updated-16 Apr, 2025 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Security Event Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Security Event Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse SolarWinds’ service, resulting in remote code execution.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-security_event_managerSecurity Event Manager security_event_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-35180
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-49.13% / 97.70%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:23
Updated-12 Sep, 2024 | 20:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows authenticated users to abuse SolarWinds ARM API.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-35182
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-4.64% / 88.87%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:23
Updated-12 Sep, 2024 | 20:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability can be abused by unauthenticated users on SolarWinds ARM Server.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-35186
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-9.61% / 92.57%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:21
Updated-12 Sep, 2024 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-28986
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.8||CRITICAL
EPSS-29.91% / 96.48%
||
7 Day CHG-4.40%
Published-13 Aug, 2024 | 22:06
Updated-30 Jul, 2025 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Known KEV||Action Due Date - 2024-09-05||Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
SolarWinds Web Help Desk Java Deserialization Remote Code Execution Vulnerability

SolarWinds Web Help Desk was found to be susceptible to a Java Deserialization Remote Code Execution vulnerability that, if exploited, would allow an attacker to run commands on the host machine. While it was reported as an unauthenticated vulnerability, SolarWinds has been unable to reproduce it without authentication after thorough testing.   However, out of an abundance of caution, we recommend all Web Help Desk customers apply the patch, which is now available.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-web_help_deskWeb Help DeskwebhelpdeskWeb Help Desk
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-28991
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9||CRITICAL
EPSS-39.69% / 97.21%
||
7 Day CHG~0.00%
Published-12 Sep, 2024 | 13:17
Updated-17 Sep, 2024 | 03:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability. If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-28075
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9||CRITICAL
EPSS-73.56% / 98.75%
||
7 Day CHG~0.00%
Published-09 May, 2024 | 12:42
Updated-10 Feb, 2025 | 22:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds ARM Deserialization of Untrusted Data Remote Code Execution

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an authenticated user to abuse SolarWinds service resulting in remote code execution. We thank Trend Micro Zero Day Initiative (ZDI) for its ongoing partnership in coordinating with SolarWinds on responsible disclosure of this and other potential vulnerabilities.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-23478
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8||HIGH
EPSS-61.86% / 98.27%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:35
Updated-12 Aug, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-36958
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-12.83% / 93.76%
||
7 Day CHG~0.00%
Published-20 Oct, 2022 | 20:10
Updated-08 May, 2025 | 13:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds PlatformOrion Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2022-36964
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-1.35% / 79.31%
||
7 Day CHG-0.04%
Published-29 Nov, 2022 | 20:47
Updated-25 Apr, 2025 | 14:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Platform Deserialization of Untrusted Data

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with valid access to SolarWinds Web Console to execute arbitrary commands.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformSolarWinds PlatformOrion Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-35216
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.9||HIGH
EPSS-51.65% / 97.81%
||
7 Day CHG~0.00%
Published-01 Sep, 2021 | 14:23
Updated-04 Aug, 2024 | 00:33
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Deserialization of Untrusted Data in Resource Controls Remote Code Execution

Insecure Deserialization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module. An Authenticated Attacker with network access via HTTP can compromise this vulnerability can result in Remote Code Execution.

Action-Not Available
Vendor-SolarWindsSolarWinds Worldwide, LLC.
Product-patch_managerPatch Manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-26397
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-7.8||HIGH
EPSS-0.05% / 15.82%
||
7 Day CHG+0.01%
Published-24 Jul, 2025 | 07:57
Updated-25 Jul, 2025 | 15:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Observability Self-Hosted Deserialization of Untrusted Data Local Privilege Escalation Vulnerability

SolarWinds Observability Self-Hosted is susceptible to Deserialization of Untrusted Data Local Privilege Escalation vulnerability. An attacker with low privileges can escalate privileges to run malicious files copied to a permission-protected folder. This vulnerability requires authentication from a low-level account and local access to the host server.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-SolarWinds Observability Self-Hosted
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-40057
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9||CRITICAL
EPSS-11.68% / 93.41%
||
7 Day CHG~0.00%
Published-15 Feb, 2024 | 20:36
Updated-12 Aug, 2024 | 20:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Deserialization of Untrusted Data Remote Code Execution

The SolarWinds Access Rights Manager was found to be susceptible to a Remote Code Execution Vulnerability. If exploited, this vulnerability allows an authenticated user to abuse a SolarWinds service resulting in remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2023-35184
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.8||HIGH
EPSS-10.60% / 92.98%
||
7 Day CHG~0.00%
Published-19 Oct, 2023 | 14:22
Updated-12 Sep, 2024 | 20:08
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager Deserialization of Untrusted Data Remote Code Execution Vulnerability

The SolarWinds Access Rights Manager was susceptible to Remote Code Execution Vulnerability. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in a remote code execution.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-35217
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.9||HIGH
EPSS-60.06% / 98.19%
||
7 Day CHG~0.00%
Published-08 Sep, 2021 | 13:15
Updated-16 Sep, 2024 | 20:58
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Insecure Deserialization of untrusted data causing Remote code execution vulnerability.

Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-patch_managerOrion Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-35215
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-8.9||HIGH
EPSS-88.20% / 99.46%
||
7 Day CHG~0.00%
Published-01 Sep, 2021 | 14:21
Updated-16 Sep, 2024 | 19:52
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
ActionPluginBaseView Deserialization of Untrusted Data RCE

Insecure deserialization leading to Remote Code Execution was detected in the Orion Platform version 2020.2.5. Authentication is required to exploit this vulnerability.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-28074
Matching Score-6
Assigner-SolarWinds
ShareView Details
Matching Score-6
Assigner-SolarWinds
CVSS Score-9.6||CRITICAL
EPSS-0.10% / 28.93%
||
7 Day CHG-0.91%
Published-17 Jul, 2024 | 14:29
Updated-10 Sep, 2024 | 18:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SolarWinds Access Rights Manager (ARM) Internal Deserialization Remote Code Execution Vulnerability

It was discovered that a previous vulnerability was not completely fixed with SolarWinds Access Rights Manager. While some controls were implemented the researcher was able to bypass these and use a different method to exploit the vulnerability.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-access_rights_managerAccess Rights Manageraccess_rights_manager
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-27277
Matching Score-6
Assigner-Zero Day Initiative
ShareView Details
Matching Score-6
Assigner-Zero Day Initiative
CVSS Score-7.8||HIGH
EPSS-2.21% / 83.78%
||
7 Day CHG~0.00%
Published-22 Apr, 2021 | 17:50
Updated-03 Aug, 2024 | 20:48
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

This vulnerability allows local attackers to escalate privileges on affected installations of SolarWinds Orion Virtual Infrastructure Monitor 2020.2. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the OneTimeJobSchedulerEventsService WCF service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. Was ZDI-CAN-11955.

Action-Not Available
Vendor-SolarWinds Worldwide, LLC.
Product-orion_platformOrion Virtual Infrastructure Monitor
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-54282
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.2||HIGH
EPSS-0.30% / 52.77%
||
7 Day CHG~0.00%
Published-13 Dec, 2024 | 14:25
Updated-13 Dec, 2024 | 15:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress WP Mega Menu plugin <= 1.4.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Themeum WP Mega Menu allows Object Injection.This issue affects WP Mega Menu: from n/a through 1.4.2.

Action-Not Available
Vendor-Themeum
Product-WP Mega Menu
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2024-49684
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.2||HIGH
EPSS-0.77% / 72.51%
||
7 Day CHG~0.00%
Published-23 Oct, 2024 | 15:13
Updated-25 Oct, 2024 | 12:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Backup and Staging by WP Time Capsule plugin <= 1.22.21 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Revmakx Backup and Staging by WP Time Capsule allows Object Injection.This issue affects Backup and Staging by WP Time Capsule: from n/a through 1.22.21.

Action-Not Available
Vendor-Revmakxrevmakx
Product-Backup and Staging by WP Time Capsulebackup_and_staging_by_wp_time_capsule
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2021-4451
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-6.6||MEDIUM
EPSS-0.82% / 73.44%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 06:43
Updated-30 Oct, 2024 | 17:44
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
NinjaFirewall <= 4.3.3 - Authenticated PHAR Deserialization

The NinjaFirewall plugin for WordPress is vulnerable to Authenticated PHAR Deserialization in versions up to, and including, 4.3.3. This allows authenticated attackers to perform phar deserialization on the server. This deserialization can allow other plugin or theme exploits if vulnerable software is present (WordPress, and NinjaFirewall).

Action-Not Available
Vendor-nintechnetnintechnetninjatechnologiesnetwork
Product-ninjafirewallNinjaFirewall (WP Edition) – Advanced Security Plugin and Firewallninja_firewall
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2019-5326
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
ShareView Details
Matching Score-4
Assigner-Hewlett Packard Enterprise (HPE)
CVSS Score-7.2||HIGH
EPSS-2.54% / 84.87%
||
7 Day CHG~0.00%
Published-27 Feb, 2020 | 16:23
Updated-04 Aug, 2024 | 19:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

An administrative application user of or application user with write access to Aruba Airwave VisualRF is able to obtain code execution on the AMP platform. This is possible due to the ability to overwrite a file on disk which is subsequently deserialized by the Java application component.

Action-Not Available
Vendor-n/aAruba Networks
Product-airwaveAirWave Management Platform
CWE ID-CWE-502
Deserialization of Untrusted Data
CVE-2025-58218
Matching Score-4
Assigner-Patchstack
ShareView Details
Matching Score-4
Assigner-Patchstack
CVSS Score-7.2||HIGH
EPSS-Not Assigned
Published-27 Aug, 2025 | 17:45
Updated-27 Aug, 2025 | 18:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WordPress Small Package Quotes – USPS Edition Plugin <= 1.3.9 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in enituretechnology Small Package Quotes – USPS Edition allows Object Injection. This issue affects Small Package Quotes – USPS Edition: from n/a through 1.3.9.

Action-Not Available
Vendor-Eniture, LLC
Product-Small Package Quotes – USPS Edition
CWE ID-CWE-502
Deserialization of Untrusted Data
  • Previous
  • 1
  • 2
  • 3
  • 4
  • Next
Details not found