CVE-2021-35220: 
SolarWinds Platform vulnerability analysis and mitigation

CVE-2021-35220 is a Command Injection vulnerability discovered in the EmailWebPage API of SolarWinds Orion Platform that can lead to Remote Code Execution (RCE) from the Alerts Settings page. The vulnerability was first published on July 15, 2021, and affects SolarWinds Orion Platform versions 2020.2.5 and earlier. This security flaw was discovered by Alex Birnberg of Zymo Security and FireEye (SolarWinds Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.1 (High) with the vector string CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N. The flaw requires authentication with the 'Alerting Mgmt' permission to be exploited. It is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) (NVD).

If successfully exploited, this vulnerability allows remote authenticated attackers to execute arbitrary commands on affected installations of SolarWinds Orion Platform. The high severity rating indicates significant potential impact on the confidentiality and integrity of the system (SolarWinds Advisory).

SolarWinds has released a patch for this vulnerability in Orion Platform version 2020.2.6 HF1. Organizations using affected versions are strongly advised to upgrade to this patched version to mitigate the risk (SolarWinds Advisory).