CVE-2016-3642

CRITICAL

SolarWinds Virtualization Manager <6.3.1 - Command Injection

Title source: llm

Description

The RMI service in SolarWinds Virtualization Manager 6.3.1 and earlier allows remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

References (3)

Core 3

Core References

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Jun/25

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2016/Jun/29

Exploit x_refsource_misc

http://packetstormsecurity.com/files/137486/Solarwinds-Virtualization-Manager-6.3.1-Java-Deserialization.html

Scores

CVSS v3 9.8

EPSS 0.2238

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published

Products (1)

solarwinds/virtualization_manager < 6.3.1

Published Jun 17, 2016

Tracked Since Feb 18, 2026