CVE-2021-35217

HIGH

Patch Manager Orion Platform - Code Injection

Title source: llm

Description

Insecure Deseralization of untrusted data remote code execution vulnerability was discovered in Patch Manager Orion Platform Integration module and reported to us by ZDI. An Authenticated Attacker could exploit it by executing WSAsyncExecuteTasks deserialization of untrusted data.

References (4)

[Vendor Advisory] https://documentation.solarwinds.com/en/success_center/orionplatform/content/core-secure-configuration.htm

[Release Notes, Vendor Advisory] https://documentation.solarwinds.com/en/success_center/orionplatform/content/release_notes/orion_platform_2020-2-6_release_notes.htm

[Vendor Advisory] https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35217

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-21-1247/

Scores

CVSS v3 8.9

EPSS 0.6006

EPSS Percentile 98.2%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Classification

CWE

CWE-502

Status published

Affected Products (1)

solarwinds/patch_manager < 2020.2.5

Timeline

Published Sep 08, 2021

Tracked Since Feb 18, 2026