CVE-2021-31474 – This vulnerability allows unauthenticated remot... (How to Fix)

Q: What is the severity of CVE-2021-31474?

CVE-2021-31474 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges on SolarWinds Network Performance Monitor installations. The flaw exists in the SolarWinds.Serialization library where improper validation of user-supplied data enables deserialization of untrusted data. Organizations running affected versions of SolarWinds NPM are at risk.

📋 TL;DR

This vulnerability allows unauthenticated remote attackers to execute arbitrary code with SYSTEM privileges on SolarWinds Network Performance Monitor installations. The flaw exists in the SolarWinds.Serialization library where improper validation of user-supplied data enables deserialization of untrusted data. Organizations running affected versions of SolarWinds NPM are at risk.

💻 Affected Systems

Products:

SolarWinds Network Performance Monitor

Versions: 2020.2.1 and earlier versions

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is in the SolarWinds.Serialization library used by NPM, making default installations vulnerable without special configuration.

📦 What is this software?

Network Performance Monitor by Solarwinds

View all CVEs affecting Network Performance Monitor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with SYSTEM privileges, enabling attackers to install malware, steal data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Remote code execution leading to ransomware deployment, data exfiltration, or installation of backdoors for future attacks.

🟢

If Mitigated

Attack blocked at network perimeter or detected before successful exploitation, with minimal impact due to segmentation and monitoring.

🌐 Internet-Facing: HIGH - No authentication required and remote exploitation makes internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internal instances are vulnerable to network-accessible attacks from compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published details and proof-of-concept, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.5 or later

Vendor Advisory: https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htm

Restart Required: Yes

Instructions:

1. Download SolarWinds NPM 2020.2.5 or later from SolarWinds customer portal. 2. Backup current configuration and database. 3. Run installer with administrative privileges. 4. Restart the SolarWinds services and verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to SolarWinds NPM instances to only trusted management networks

Application Firewall Rules

all

Block suspicious serialization-related requests at network or host firewall level

🧯 If You Can't Patch

Isolate SolarWinds NPM instances in separate network segments with strict access controls
Implement web application firewall (WAF) rules to block deserialization attacks and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check SolarWinds NPM version in web interface (Settings → About) or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Network Performance Monitor\Version

Check Version:

reg query "HKLM\SOFTWARE\SolarWinds\Network Performance Monitor" /v Version

Verify Fix Applied:

Verify version is 2020.2.5 or higher and check that SolarWinds.Serialization.dll has been updated to patched version

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from SolarWinds services
Errors in SolarWinds logs related to serialization/deserialization
Unexpected network connections from NPM server

Network Indicators:

HTTP requests to SolarWinds endpoints with serialized payloads
Unusual outbound connections from NPM server

SIEM Query:

source="solarwinds.log" AND ("deserialization" OR "serialization error" OR "unexpected data") OR process_name="SolarWinds*" AND parent_process!="expected_parent"

📊 Metadata

CVE ID: CVE-2021-31474

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 21, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htm Release Notes,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-602/ Third Party Advisory,VDB Entry
https://documentation.solarwinds.com/en/success_center/sam/content/release_notes/sam_2020-2-5_release_notes.htm Release Notes,Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-602/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31474, you might also want to check these: