CVE-2024-23478: 
SolarWinds Access Rights Manager vulnerability analysis and mitigation

SolarWinds Access Rights Manager (ARM) was found to be susceptible to a Remote Code Execution Vulnerability affecting versions up to 2023.2.2. The vulnerability, discovered by Piotr Bazydlo (@chudypb) of Trend Micro Zero Day Initiative, allows an authenticated user to abuse a SolarWinds service, resulting in remote code execution (SolarWinds Advisory, ZDI Advisory).

The vulnerability exists within the JsonSerializationBinder class and stems from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. It has been assigned CWE-502 (Deserialization of Untrusted Data) and received a CVSS v3.1 base score of 8.0 HIGH with the vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (ZDI Advisory, NVD).

If successfully exploited, an attacker can leverage this vulnerability to execute code in the context of the service account, potentially leading to full system compromise. The vulnerability affects the integrity, confidentiality, and availability of the system, with potential impacts including malware installation, data theft, and disruption of critical business operations (Help Net Security).

SolarWinds has released version 2023.2.3 of Access Rights Manager (ARM) to address this vulnerability. Organizations are strongly advised to upgrade to this version as no alternative mitigations or workarounds have been provided (Help Net Security).