Critical ARM vulnerability that could have allowed RCE patched by SolarWinds

The company addressed a deserialization of untrusted data flaw

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

SolarWinds has recently patched a critical severity vulnerability in its Access Rights Manager (ARM) program, which allowed threat actors to run malicious code remotely.

Access Rights Manager (ARM) is a piece of software designed to help organizations manage, monitor, and audit user access rights across their IT systems.

In a security advisory, SolarWinds said ARM was vulnerable to a “deserialization of untrusted data remote code execution flaw,” which essentially means that the software was not validating user-supplied data properly. That data, if malicious, could be abused in cyberattacks.

Patch available

The bug is tracked asCVE-2024-28991, and has a severity rating of 9.0/10 (critical). It was first spotted by security researchers from Trend Micro’s Zero Day Initiative (ZDI),The Hacker Newsreports, who gave it a 9.9 severity rating. One of the reasons is because of poor authentication practices: “Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed,” the ZDI said.

If you are using ARM, you should make sure you’re running version 2024.3.1. SolarWinds says there is no evidence that the flaw is being abused in the wild, but is still advocating caution and advising users to patch without delay.

Although SolarWinds is a major IT services provider, popular among enterprises, it rose to infamy back in 2020 when an upcomingpatchfor one of its products was compromised byransomwarehackers. Unknowingly, the company pushed a tainted update to countless customers, compromising many of them in the process, and resulting in sensitive data being stolen from dozens of high-profile organizations.

Last year, the US Securities and Exchange Commission (SEC) decided to sue SolarWinds for the incident, claiming its executives knew about its security shortcomings. Instead of notifying investors and users, the lawsuit alleges, the execs kept the information for themselves and even tried to convince everyone of the opposite.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

ViaThe Hacker News

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

HPE reveals critical security bug affecting networking access points

A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now

Scammers are using fake copyright infringement claims to hack businesses