CVE-2023-35180: 
SolarWinds Access Rights Manager vulnerability analysis and mitigation

The SolarWinds Access Rights Manager (ARM) was identified with a Remote Code Execution (RCE) vulnerability tracked as CVE-2023-35180. This vulnerability was discovered in ARM version 2023.2.0.73 and prior versions, allowing authenticated users to abuse the SolarWinds ARM API. The vulnerability was disclosed on October 18, 2023, and was assigned a high severity CVSS score of 8.8 (NVD, SolarWinds Advisory).

The vulnerability stems from a deserialization of untrusted data issue in the SolarWinds ARM API. The specific flaw exists within the deserialization of JSON data sent to the API via TCP port 443. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has been classified under CWE-502 (Deserialization of Untrusted Data) and received a CVSS v3.1 base score of 8.8 (High) from NVD, while SolarWinds assessed it with a CVSS score of 8.0 (ZDI Advisory).

If successfully exploited, this vulnerability allows an attacker to execute arbitrary code in the context of the service account. Given ARM's role in managing user access rights to data, files, and systems, a successful exploitation could lead to significant compromise of the affected system's security controls and potentially full system takeover (Dark Reading).

SolarWinds has released version 2023.2.1 of Access Rights Manager which contains fixes for this vulnerability. Organizations using affected versions are strongly advised to upgrade to the patched version immediately (SolarWinds Advisory).