CVE-2022-38108

HIGH7.2

High EPSS

Description

SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

SolarWinds / Orion Platformunspecified – 2020.2.6 HF5 and prior versions
SolarWinds / SolarWinds Platformunspecified – 2022.3 and prior versions

References

VENDOR_ADVISORYhttps://www.solarwinds.com/trust-center/security-advisories/CVE-2022-38108
VENDOR_ADVISORYhttps://www.zerodayinitiative.com/advisories/ZDI-CAN-17531
EXPLOIThttp://packetstormsecurity.com/files/171567/SolarWinds-Information-Service-SWIS-Remote-Command-Execution.html