CVE-2022-36963
📋 TL;DR
This command injection vulnerability in SolarWinds Platform allows authenticated administrators to execute arbitrary system commands. Attackers with compromised admin credentials can gain full control of affected systems. Organizations using vulnerable SolarWinds Platform versions are at risk.
💻 Affected Systems
- SolarWinds Platform
📦 What is this software?
Orion Platform by Solarwinds
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise leading to data theft, ransomware deployment, lateral movement across network, and persistent backdoor installation.
Likely Case
Privilege escalation leading to unauthorized access to sensitive monitoring data, system configuration changes, and potential credential harvesting.
If Mitigated
Limited impact due to strong access controls, network segmentation, and admin account monitoring preventing successful exploitation.
🎯 Exploit Status
Exploitation requires valid admin credentials but command injection is straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SolarWinds Platform 2023.2 or later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963
Restart Required: Yes
Instructions:
1. Download SolarWinds Platform 2023.2 or later from SolarWinds Customer Portal. 2. Backup current configuration and database. 3. Run installer with administrative privileges. 4. Restart SolarWinds services after installation completes.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrative access to SolarWinds Platform to only essential personnel using principle of least privilege.
Network Segmentation
allIsolate SolarWinds Platform servers in separate network segment with strict firewall rules.
🧯 If You Can't Patch
- Implement multi-factor authentication for all SolarWinds admin accounts
- Monitor and alert on unusual admin account activity and command execution patterns
🔍 How to Verify
Check if Vulnerable:
Check SolarWinds Platform version in web interface under Settings > All Settings > Product InformationCheck Version:
Not applicable - use web interface or check installed programs in WindowsVerify Fix Applied:
Verify version is 2023.2 or later and check for successful installation in SolarWinds logs📡 Detection & Monitoring
Log Indicators:
- Unusual command execution in SolarWinds logs
- Multiple failed admin login attempts followed by successful login
- Unexpected process creation from SolarWinds services
Network Indicators:
- Outbound connections from SolarWinds server to unusual destinations
- Unexpected protocol usage from SolarWinds server
SIEM Query:
source="solarwinds" AND (event_type="command_execution" OR user="admin" AND action="login") | stats count by src_ip, user, command🔗 References
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963
- https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/solarwinds_platform_2023-2_release_notes.htm
- https://www.solarwinds.com/trust-center/security-advisories/cve-2022-36963
