CVE-2021-35218

HIGH

Orion Patch Manager - RCE

Title source: llm

Description

Deserialization of Untrusted Data in the Web Console Chart Endpoint can lead to remote code execution. An unauthorized attacker who has network access to the Orion Patch Manager Web Console could potentially exploit this and compromise the server

References (3)

[Not Applicable, Vendor Advisory] https://documentation.solarwinds.com/en/success_center/patchman/content/release_notes/patchman_2020-2-6_release_notes.htm

[Vendor Advisory] https://www.solarwinds.com/trust-center/security-advisories/cve-2021-35218

[Third Party Advisory, VDB Entry] https://www.zerodayinitiative.com/advisories/ZDI-21-1248/

Scores

CVSS v3 8.9

EPSS 0.1685

EPSS Percentile 94.9%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:L

Classification

CWE

CWE-502

Status published

Affected Products (1)

solarwinds/orion_platform < 2020.2.6

Timeline

Published Sep 01, 2021

Tracked Since Feb 18, 2026