CVE-2021-25274

high-risk
Published 2021-02-03

The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.

Do I need to act?

!
44.3% chance of exploitation in next 30 days
EPSS score — higher than 56% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Solarwinds

References (2)

Exploit https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-cont...
Exploit https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/full-system-cont...
54
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 17/34 · Moderate
Exposure 5/34 · Minimal