CVE-2021-35218 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2021-35218?

CVE-2021-35218 has a CVSS score of 8.9 (HIGH). This vulnerability allows remote code execution through deserialization of untrusted data in the SolarWinds Orion Patch Manager Web Console. An attacker with network access to the web console can exploit this to execute arbitrary code on the server. Organizations running vulnerable versions of SolarWinds Patch Manager are affected.

📋 TL;DR

This vulnerability allows remote code execution through deserialization of untrusted data in the SolarWinds Orion Patch Manager Web Console. An attacker with network access to the web console can exploit this to execute arbitrary code on the server. Organizations running vulnerable versions of SolarWinds Patch Manager are affected.

💻 Affected Systems

Products:

SolarWinds Orion Patch Manager

Versions: Versions prior to 2020.2.6

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web console component of Orion Patch Manager. Requires network access to the web console endpoint.

📦 What is this software?

Orion Platform by Solarwinds

View all CVEs affecting Orion Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attacker to install malware, steal data, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Server compromise leading to data theft, installation of backdoors, and potential lateral movement within the network.

🟢

If Mitigated

Attack blocked at network perimeter or detected before significant damage occurs.

🌐 Internet-Facing: HIGH - Web console exposed to internet allows unauthenticated remote code execution.

🏢 Internal Only: HIGH - Even internally, any network access to the console allows exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI published technical details and proof-of-concept. Exploitation requires sending crafted requests to the vulnerable chart endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2020.2.6 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35218

Restart Required: Yes

Instructions:

1. Download Patch Manager 2020.2.6 or later from SolarWinds Customer Portal. 2. Run the installer on the Patch Manager server. 3. Restart the Patch Manager service and IIS. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Network Segmentation

windows

Restrict network access to the Patch Manager web console using firewall rules.

Windows Firewall: New-NetFirewallRule -DisplayName "Block PatchManager Console" -Direction Inbound -LocalPort 443 -Protocol TCP -Action Block

Disable Web Console

windows

Temporarily disable the web console component if not required.

Stop IIS service: Stop-Service W3SVC
Disable IIS: Set-Service W3SVC -StartupType Disabled

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the Patch Manager web console
Deploy web application firewall (WAF) rules to block deserialization attacks

🔍 How to Verify

Check if Vulnerable:

Check Patch Manager version in the web console admin interface or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\Patch Manager\Version

Check Version:

reg query "HKLM\SOFTWARE\SolarWinds\Patch Manager" /v Version

Verify Fix Applied:

Verify version is 2020.2.6 or higher and test the chart endpoint with safe payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to /Orion/PatchManager/Chart.ashx endpoint
IIS logs showing deserialization errors or unusual POST requests

Network Indicators:

HTTP requests containing serialized .NET objects to chart endpoint
Unusual outbound connections from Patch Manager server

SIEM Query:

source="iis" AND (uri="*Chart.ashx*" OR uri="*PatchManager*Chart*") AND (method="POST" OR status>=400)

📊 Metadata

CVE ID: CVE-2021-35218

CVSS v3 Score: 8.9 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

CWE: CWE-502

Published: September 1, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/patchman/content/release_notes/patchman_2020-2-6_release_notes.htm Not Applicable,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35218 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1248/ Third Party Advisory,VDB Entry
https://documentation.solarwinds.com/en/success_center/patchman/content/release_notes/patchman_2020-2-6_release_notes.htm Not Applicable,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35218 Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-21-1248/ Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35218, you might also want to check these: