SolarWinds has recently addressed a series of critical security vulnerabilities within its Access Rights Manager (ARM) software that pose significant risks to users. These vulnerabilities could be exploited by malicious actors to gain unauthorized access to sensitive information or to execute arbitrary code, making this a pressing concern for businesses reliant on the software.
In total, the company has identified 13 vulnerabilities, with eight classified as critical and possessing a Common Vulnerability Scoring System (CVSS) rating of 9.6 out of 10. The remaining vulnerabilities are considered high in severity, four of which have a CVSS score of 7.6 and one rated at 8.3. Among the most severe flaws are those linked to directory traversal, remote code execution, and arbitrary file deletion and information disclosure. Specifically, vulnerabilities such as CVE-2024-23472 and CVE-2024-28074 have been highlighted for their potential to facilitate serious exploitation, allowing attackers to read, delete files, and execute code at elevated privileges.
The patched vulnerabilities were addressed in version 2024.3, which was released on July 17, 2024, following a responsible disclosure initiative by Trend Micro’s Zero Day Initiative (ZDI). This proactive approach underscores the urgency of securing software against identified weaknesses, which can lead to detrimental consequences if left unaddressed.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has categorized these vulnerabilities under its Known Exploited Vulnerabilities (KEV) catalog, emphasizing the criticality of mitigating risks associated with these flaws in SolarWinds’ software. In a related context, CISA also highlighted a severe path traversal vulnerability in SolarWinds Serv-U (CVE-2024-28995, with a CVSS score of 8.6), following reports of active exploitation in the wild.
This incident follows a major supply chain attack that SolarWinds experienced in 2020, where Russian APT29 hackers compromised the update mechanism for its Orion network management platform. This incident allowed the distribution of malicious code to downstream customers, marking a significant cybersecurity breach that has ongoing implications for the organization and its clients.
Further complicating matters, the U.S. Securities and Exchange Commission (SEC) filed a lawsuit against SolarWinds and its Chief Information Security Officer (CISO) in October 2023, citing failures in disclosing essential information regarding cybersecurity risks to investors. However, much of the lawsuit was dismissed by the U.S. District Court for the Southern District of New York on July 18, 2024, on the grounds that the assertions did not demonstrate actionable deficiencies in the company’s reporting process related to the cybersecurity incident.
For business owners, understanding the tactics and techniques associated with such vulnerabilities is critical. Adversarial tactics described in the MITRE ATT&CK framework may include initial access, privilege escalation, and the use of command and control methods to affect system integrity. The threat landscape underscores the necessity of robust cybersecurity protocols and a proactive approach to risk management to mitigate potential vulnerabilities that could impact organizational security.
As threats continue to evolve, it remains essential for businesses to stay informed and prepared, actively updating their systems and employing security best practices to safeguard against future attacks.