CVE-2021-35220 – CVE-2021-35220 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2021-35220?

CVE-2021-35220 has a CVSS score of 8.1 (HIGH). CVE-2021-35220 is a command injection vulnerability in SolarWinds Orion Platform's EmailWebPage API that allows attackers to execute arbitrary commands on affected systems. This can lead to remote code execution (RCE) from the Alerts Settings page. Organizations running vulnerable versions of SolarWinds Orion Platform are affected.

📋 TL;DR

CVE-2021-35220 is a command injection vulnerability in SolarWinds Orion Platform's EmailWebPage API that allows attackers to execute arbitrary commands on affected systems. This can lead to remote code execution (RCE) from the Alerts Settings page. Organizations running vulnerable versions of SolarWinds Orion Platform are affected.

💻 Affected Systems

Products:

SolarWinds Orion Platform

Versions: 2020.2.5 and earlier versions

Operating Systems: Windows Server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects Orion Platform installations with EmailWebPage API functionality enabled for alert notifications.

📦 What is this software?

Orion Platform by Solarwinds

View all CVEs affecting Orion Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the SolarWinds server, enabling lateral movement, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthorized command execution leading to system reconnaissance, credential harvesting, and deployment of additional malware or ransomware.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing lateral movement and data exfiltration.

🌐 Internet-Facing: HIGH - SolarWinds Orion is often exposed to manage remote infrastructure, making it accessible to external attackers.

🏢 Internal Only: HIGH - Even internally accessible instances are at risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to the Alerts Settings page. Multiple proof-of-concept exploits are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Orion Platform 2020.2.6 Hotfix 1 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35220

Restart Required: Yes

Instructions:

1. Download Orion Platform 2020.2.6 Hotfix 1 or later from SolarWinds Customer Portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart Orion services after installation completes.

🔧 Temporary Workarounds

Disable EmailWebPage API

windows

Temporarily disable the vulnerable EmailWebPage API functionality until patching can be completed.

Navigate to Settings > All Settings > Alerting > Email/Web Page Settings and disable web page alert actions

Restrict Access to Alerts Settings

windows

Limit access to the Alerts Settings page to only necessary administrative users.

Configure Orion user permissions to restrict 'Alert Settings' access to minimal required personnel

🧯 If You Can't Patch

Implement strict network segmentation to isolate SolarWinds Orion servers from critical systems
Enable detailed logging and monitoring for suspicious command execution patterns

🔍 How to Verify

Check if Vulnerable:

Check Orion Platform version in Help > About. If version is 2020.2.5 or earlier, the system is vulnerable.

Check Version:

In Orion Web Console, navigate to Help > About to view current version

Verify Fix Applied:

Verify installation of Orion Platform 2020.2.6 Hotfix 1 or later in Help > About and test EmailWebPage functionality.

📡 Detection & Monitoring

Log Indicators:

Unusual command execution in Windows Event Logs
Suspicious PowerShell or cmd.exe activity from Orion processes
Unexpected network connections from Orion server

Network Indicators:

Outbound connections from Orion server to unexpected destinations
Command and control traffic patterns

SIEM Query:

source="windows" process_name="cmd.exe" OR process_name="powershell.exe" parent_process="Orion*" | stats count by src_ip, dest_ip, command_line

📊 Metadata

CVE ID: CVE-2021-35220

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N

CWE: CWE-77

Published: August 31, 2021

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm Patch,Release Notes,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-EmailWebPage-Command-Injection-RCE-CVE-2021-35220?language=en_US Mitigation,Patch,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US Patch,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35220 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm Patch,Release Notes,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Mitigate-the-EmailWebPage-Command-Injection-RCE-CVE-2021-35220?language=en_US Mitigation,Patch,Vendor Advisory
https://support.solarwinds.com/SuccessCenter/s/article/Orion-Platform-2020-2-6-Hotfix-1?language=en_US Patch,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35220 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-35220, you might also want to check these: