SolarWinds has released fixes to address two security flaws in its Access Rights Manager (ARM) software, including a critical vulnerability that could result in remote code execution.
The vulnerability, tracked as CVE-2024-28991, is rated 9.0 out of a maximum of 10.0 on the CVSS scoring system. It has been described as an instance of deserialization of untrusted data.
"SolarWinds Access Rights Manager (ARM) was found to be susceptible to a remote code execution vulnerability," the company said in an advisory. "If exploited, this vulnerability would allow an authenticated user to abuse the service, resulting in remote code execution."
Security researcher Piotr Bazydlo of the Trend Micro Zero Day Initiative (ZDI) has been credited with discovering and reporting the flaw on May 24, 2024.
The ZDI, which has assigned the shortcoming a CVSS score of 9.9, said it exists within a class called JsonSerializationBinder and stems from a lack of proper validation of user-supplied data, thus exposing ARM devices to a deserialization vulnerability that could then be abused to execute arbitrary code.
"Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed," the ZDI said.
Also addressed by SolarWinds is a medium-severity flaw in ARM (CVE-2024-28990, CVSS score: 6.3) that exposed a hard-coded credential which, if successfully exploited, could allow unauthorized access to the RabbitMQ management console.
Both the issues have been patched in ARM version 2024.3.1. Although there is currently no evidence of active exploitation of the vulnerabilities, users are recommended to update to the latest version as soon as possible to safeguard against potential threats.
The development comes as D-Link has resolved three critical vulnerabilities affecting DIR-X4860, DIR-X5460, and COVR-X1870 routers (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697, CVSS scores: 9.8) that could enable remote execution of arbitrary code and system commands.