CVE-2021-25274
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to send malicious messages to SolarWinds Orion's Collector Service on TCP port 1801, which are then deserialized insecurely, leading to arbitrary code execution with LocalSystem privileges. It affects SolarWinds Orion Platform installations using MSMQ with default configurations. Organizations running vulnerable versions are at risk of complete system compromise.
💻 Affected Systems
- SolarWinds Orion Platform
📦 What is this software?
Orion Platform by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete system takeover with LocalSystem privileges, enabling lateral movement, data exfiltration, and persistent backdoor installation across the network.
Likely Case
Remote code execution leading to ransomware deployment, credential theft, or installation of persistent malware on affected systems.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external access to port 1801.
🎯 Exploit Status
Exploitation is straightforward with publicly available proof-of-concept code. The vulnerability requires no authentication and has reliable exploitation paths.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2020.2.4 or later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-25274
Restart Required: Yes
Instructions:
1. Download SolarWinds Orion Platform version 2020.2.4 or later from the SolarWinds customer portal. 2. Run the installer with administrative privileges. 3. Follow the upgrade wizard. 4. Restart the SolarWinds services after installation completes.
🔧 Temporary Workarounds
Block MSMQ Port
windowsBlock TCP port 1801 at network perimeter and internally to prevent remote exploitation.
netsh advfirewall firewall add rule name="Block MSMQ" dir=in action=block protocol=TCP localport=1801
Restrict MSMQ Queue Permissions
windowsSet proper ACLs on MSMQ private queues to prevent unauthorized access.
Set-MsmqQueueACL -QueueName "Private$\SolarWinds.Orion.Collector" -UserName "NT AUTHORITY\ANONYMOUS LOGON" -Remove
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SolarWinds systems and block all external access to port 1801.
- Deploy host-based firewalls to restrict inbound connections to port 1801 only from trusted management systems.
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds Orion version in the web interface under Help > About, or examine installed programs in Control Panel. If version is earlier than 2020.2.4 and MSMQ is enabled, the system is vulnerable.Check Version:
Get-WmiObject -Class Win32_Product | Where-Object {$_.Name -like "*SolarWinds*Orion*"} | Select-Object Name, VersionVerify Fix Applied:
Confirm version is 2020.2.4 or later in the web interface, and verify MSMQ queue permissions have been properly configured.📡 Detection & Monitoring
Log Indicators:
- Unusual MSMQ activity in Windows Event Logs (Application and Services Logs > Microsoft > Windows > MSMQ)
- Failed authentication attempts to SolarWinds services
- Unexpected process creation from SolarWinds services
Network Indicators:
- Unexpected connections to TCP port 1801 from unauthorized sources
- Malformed MSMQ packets to SolarWinds systems
SIEM Query:
source="windows" AND (event_id=4688 OR event_id=4689) AND (process_name="*SolarWinds*" OR parent_process_name="*SolarWinds*")