CVE-2017-7722

CRITICAL

SolarWinds LEM <6.3.1 Hotfix 4 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-7722. PoCs published by Mehmet Ince <[email protected]>, including Metasploit module exploits/linux/ssh/solarwinds_lem_exec.

AI-analyzed exploit summary This Metasploit module exploits default SSH credentials in SolarWinds LEM to escape a restricted shell via command injection in a menu system. It delivers a Python-based reverse shell payload upon successful exploitation.

Description

In SolarWinds Log & Event Manager (LEM) before 6.3.1 Hotfix 4, a menu system is encountered when the SSH service is accessed with "cmc" and "password" (the default username and password). By exploiting a vulnerability in the restrictssh feature of the menuing script, an attacker can escape from the restricted shell.

Exploits (1)

metasploit WORKING POC EXCELLENT
by Mehmet Ince <[email protected]> · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/ssh/solarwinds_lem_exec.rb

This Metasploit module exploits default SSH credentials in SolarWinds LEM to escape a restricted shell via command injection in a menu system. It delivers a Python-based reverse shell payload upon successful exploitation.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: SolarWinds LEM v6.3.1
Auth required
Prerequisites: SSH access with default credentials (cmc:password) · Network access to port 32022
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 10.0
EPSS 0.1273
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Details

CWE
CWE-77
Status published
Products (1)
solarwinds/log_\&_event_manager 6.3.1
Published Apr 12, 2017
Tracked Since Feb 18, 2026