Description
Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.
References (4)
Core 4
Core References
Vendor Advisory x_refsource_misc
https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm
Release Notes, Vendor Advisory x_refsource_misc
https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm
Vendor Advisory x_refsource_misc
https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35217
Third Party Advisory, VDB Entry x_refsource_misc
https://www.zerodayinitiative.com/advisories/ZDI-21-1247/
Scores
CVSS v3
8.9
EPSS
0.6006
EPSS Percentile
98.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L
Details
CWE
CWE-502
Status
published
Products (1)
solarwinds/patch_manager
< 2020.2.5
Published
Sep 08, 2021
Tracked Since
Feb 18, 2026