CVE-2024-28075
📋 TL;DR
This vulnerability allows authenticated users of SolarWinds Access Rights Manager to execute arbitrary code remotely on affected systems. Attackers with valid credentials can exploit this deserialization flaw to gain full control of the ARM server. Organizations running vulnerable versions of SolarWinds ARM are affected.
💻 Affected Systems
- SolarWinds Access Rights Manager
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the ARM server leading to domain privilege escalation, lateral movement, and data exfiltration.
Likely Case
Authenticated attackers gaining SYSTEM/root privileges on the ARM server, enabling credential theft and persistence.
If Mitigated
Limited to authenticated users only; proper network segmentation and authentication controls reduce blast radius.
🎯 Exploit Status
Exploitation requires authentication but is straightforward once credentials are obtained; likely to be weaponized given high CVSS score.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.2.4 or later
Vendor Advisory: https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28075
Restart Required: Yes
Instructions:
1. Download ARM 2023.2.4 or later from SolarWinds Customer Portal. 2. Backup current configuration. 3. Run installer with administrative privileges. 4. Restart ARM services as prompted.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to ARM server to only trusted administrative networks.
Enhanced Authentication Controls
allImplement multi-factor authentication and strong password policies for ARM users.
🧯 If You Can't Patch
- Isolate ARM server in dedicated VLAN with strict firewall rules allowing only necessary traffic.
- Implement application allowlisting to prevent execution of unauthorized binaries on ARM server.
🔍 How to Verify
Check if Vulnerable:
Check ARM version in web interface (Admin → About) or via registry: HKEY_LOCAL_MACHINE\SOFTWARE\SolarWinds\ARM\Version.Check Version:
reg query "HKLM\SOFTWARE\SolarWinds\ARM" /v VersionVerify Fix Applied:
Confirm version is 2023.2.4 or higher and test authenticated functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unusual process creation from ARM service account
- Failed authentication attempts followed by successful login and suspicious activity
Network Indicators:
- Unexpected outbound connections from ARM server
- Anomalous traffic patterns to/from ARM ports (typically 17778)
SIEM Query:
source="arm_logs" AND (event_type="process_creation" AND parent_process="SolarWinds.ARM.Service") OR (auth_failure AND auth_success AND src_ip=same_ip_within_short_time)🔗 References
- https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm
- https://documentation.solarwinds.com/en/success_center/arm/content/secure-your-arm-deployment.htm
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28075
- https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-4_release_notes.htm
- https://documentation.solarwinds.com/en/success_center/arm/content/secure-your-arm-deployment.htm
- https://www.solarwinds.com/trust-center/security-advisories/CVE-2024-28075
