CVE-2023-35184: 
SolarWinds Access Rights Manager vulnerability analysis and mitigation

The SolarWinds Access Rights Manager (ARM) was discovered to contain a critical Remote Code Execution (RCE) vulnerability identified as CVE-2023-35184. This vulnerability allows an unauthenticated user to abuse a SolarWinds service resulting in remote code execution. The vulnerability was discovered in ARM version 2023.2.0.73 and earlier versions, with a fix released in version 2023.2.1 on October 18, 2023 (SolarWinds Advisory).

The vulnerability is related to deserialization of untrusted data, classified under CWE-502 (Deserialization of Untrusted Data). It received a CVSS v3.1 base score of 9.8 CRITICAL from NIST NVD, while SolarWinds assigned it a score of 8.8 HIGH with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists within the ExecuteAction method, where improper validation of user-supplied data can result in deserialization of untrusted data (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code at the system level, potentially leading to complete system compromise. An attacker can leverage this vulnerability to execute code in the context of the service account, enabling them to take full control of the affected system (Dark Reading).

SolarWinds has released version 2023.2.1 of Access Rights Manager which addresses this vulnerability. Organizations using affected versions are strongly advised to upgrade to the patched version immediately (SolarWinds Advisory).