CVE-2023-35184 – CVE-2023-35184 is a remote code execution vulne... (How to Fix)

Q: What is the severity of CVE-2023-35184?

CVE-2023-35184 has a CVSS score of 8.8 (HIGH). CVE-2023-35184 is a remote code execution vulnerability in SolarWinds Access Rights Manager that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects organizations running vulnerable versions of SolarWinds ARM, potentially compromising the entire system and adjacent networks.

📋 TL;DR

CVE-2023-35184 is a remote code execution vulnerability in SolarWinds Access Rights Manager that allows unauthenticated attackers to execute arbitrary code on affected systems. This affects organizations running vulnerable versions of SolarWinds ARM, potentially compromising the entire system and adjacent networks.

💻 Affected Systems

Products:

SolarWinds Access Rights Manager

Versions: Versions prior to 2023.2.1

Operating Systems: Windows Server (all supported versions)

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations are vulnerable; no special configuration required for exploitation.

📦 What is this software?

Access Rights Manager by Solarwinds

View all CVEs affecting Access Rights Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover, lateral movement across network, data exfiltration, ransomware deployment, and persistent backdoor installation.

🟠

Likely Case

Unauthenticated attacker gains SYSTEM-level privileges, installs malware, steals credentials, and pivots to other systems in the network.

🟢

If Mitigated

Attack blocked at network perimeter or detected before code execution; limited to attempted exploitation logs.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers to directly compromise exposed systems without any credentials.

🏢 Internal Only: HIGH - Even internally, any network-accessible vulnerable system can be compromised by malicious insiders or attackers who breach perimeter defenses.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has been publicly disclosed with technical details, making weaponization highly probable.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.2.1 or later

Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184

Restart Required: Yes

Instructions:

1. Download SolarWinds ARM 2023.2.1 or later from the SolarWinds customer portal. 2. Backup current configuration and database. 3. Run the installer with administrative privileges. 4. Restart the server after installation completes. 5. Verify the update in the ARM web interface.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to SolarWinds ARM server to only necessary administrative IPs

Use firewall rules to block all inbound traffic to SolarWinds ARM ports except from trusted management networks

Service Account Hardening

windows

Run SolarWinds ARM service with minimal privileges

sc config "SolarWinds ARM Service" obj= "NT AUTHORITY\LocalService" password= ""

🧯 If You Can't Patch

Implement strict network access controls to limit exposure to trusted IP addresses only
Deploy application control/whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check SolarWinds ARM version in web interface: Settings → About. Versions below 2023.2.1 are vulnerable.

Check Version:

Get-ItemProperty "HKLM:\SOFTWARE\SolarWinds\Access Rights Manager" | Select-Object -ExpandProperty Version

Verify Fix Applied:

Verify version is 2023.2.1 or higher in Settings → About, and test that the service responds normally to legitimate requests.

📡 Detection & Monitoring

Log Indicators:

Unusual process creation from SolarWinds ARM service
Failed authentication attempts followed by successful exploitation patterns
Unexpected network connections from ARM server

Network Indicators:

Unusual outbound connections from ARM server to external IPs
Traffic patterns matching known exploit payloads to ARM service ports

SIEM Query:

source="SolarWinds-ARM" AND (event_type="process_creation" AND parent_process="SolarWinds.ARM.Service.exe") OR (event_type="network_connection" AND dest_port IN (17778, 17779))

📊 Metadata

CVE ID: CVE-2023-35184

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: October 19, 2023

Last Updated: November 21, 2024

🔗 References

https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184 Vendor Advisory
https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm Release Notes,Vendor Advisory
https://www.solarwinds.com/trust-center/security-advisories/CVE-2023-35184 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-35184, you might also want to check these: