Login Sign Up

CVE-2021-35215

8.9 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability allows authenticated attackers to execute arbitrary code on SolarWinds Orion Platform servers through insecure deserialization. It affects organizations running Orion Platform version 2020.2.5, requiring authentication but enabling remote code execution with high impact.

💻 Affected Systems

Products:
  • SolarWinds Orion Platform
Versions: 2020.2.5
Operating Systems: Windows
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Orion Platform 2020.2.5; authentication required but default Orion installations include authentication.

📦 What is this software?

Orion Platform by Solarwinds

View all CVEs affecting Orion Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to install malware, steal sensitive data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Attackers gain administrative control over the Orion server, enabling data theft, credential harvesting, and lateral movement within the network.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact is limited to the Orion server itself.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

ZDI-21-1245 advisory includes technical details; authentication required but Orion credentials are often known or guessable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.6 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35215

Restart Required: Yes

Instructions:

1. Download Orion Platform 2020.2.6 or later from SolarWinds Customer Portal. 2. Run installer with administrative privileges. 3. Follow upgrade wizard. 4. Restart Orion services after completion.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Orion Platform to only trusted administrative networks

Authentication Hardening

all

Enforce strong passwords, multi-factor authentication, and account lockout policies

🧯 If You Can't Patch

  • Implement strict network access controls to limit Orion Platform access to essential personnel only
  • Monitor Orion Platform logs for unusual authentication attempts or deserialization errors

🔍 How to Verify

Check if Vulnerable:

Check Orion Platform version in web interface under Settings > All Settings > Product Information

Check Version:

Not applicable - check via Orion web interface

Verify Fix Applied:

Verify version is 2020.2.6 or higher in Product Information page

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Deserialization errors in Orion logs
  • Unexpected process creation

Network Indicators:

  • Unusual outbound connections from Orion server
  • Suspicious PowerShell or command execution patterns

SIEM Query:

source="orion_logs" AND ("deserialization" OR "remote code" OR "unexpected process")

📊 Metadata

CVE ID: CVE-2021-35215
CVSS v3 Score: 8.9 (HIGH)
CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
CWE: CWE-502
Published: September 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35215, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)