CVE-2020-10148

CRITICAL KEV NUCLEI

Solarwinds Orion Platform - Missing Authentication

Title source: rule

Description

The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance. SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1 are affected.

Exploits (3)

nomisec SCANNER 10 stars

by B1anda0 · remote

https://github.com/B1anda0/CVE-2020-10148

View Code ZIP pw:eip

nomisec WORKING POC 5 stars

by rdoix · remote

https://github.com/rdoix/CVE-2020-10148-Solarwinds-Orion

View Code ZIP pw:eip

inthewild

poc

https://github.com/udyz/cve-2020-10148-solarwinds-orion

View on inthewild

Nuclei Templates (1)

SolarWinds Orion API - Auth Bypass

CRITICALby dwisiswant0

References (4)

[Third Party Advisory, US Government Resource] https://kb.cert.org/vuls/id/843464

[Vendor Advisory] https://www.solarwinds.com/securityadvisory

[Third Party Advisory, US Government Resource] https://www.kb.cert.org/vuls/id/843464

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-10148

Scores

CVSS v3 9.8

EPSS 0.9435

EPSS Percentile 100.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-04-29

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-2611

CWE

CWE-306 CWE-288

Status published

Products (3)

solarwinds/orion_platform 2019.4 hotfix5

solarwinds/orion_platform 2020.2

solarwinds/orion_platform 2020.2.1 hotfix1

Published Dec 29, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026