CVE-2023-35186: 
SolarWinds Access Rights Manager vulnerability analysis and mitigation

The SolarWinds Access Rights Manager (ARM) was found to contain a Remote Code Execution (RCE) vulnerability identified as CVE-2023-35186. This vulnerability affects ARM version 2023.2.0.73 and prior versions, allowing authenticated users to abuse SolarWinds service resulting in remote code execution (SolarWinds Advisory).

The vulnerability exists within the GetParameterFormTemplateWithSelectionState method and stems from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) by NIST NVD with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while SolarWinds assigned it a score of 8.0 (HIGH) with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (ZDI Advisory).

An attacker who successfully exploits this vulnerability can leverage it to execute arbitrary code in the context of the service account. Given ARM's role in managing access rights to data, files, and systems, a successful exploitation could lead to complete system compromise (Dark Reading).

SolarWinds has released version 2023.2.1 of Access Rights Manager which addresses this vulnerability. Users are advised to upgrade to this version immediately to mitigate the risk (ARM Release Notes).