Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Critical ARM vulnerability that could have allowed RCE patched by SolarWinds

A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.

SolarWinds has recently patched a critical severity vulnerability in its Access Rights Manager (ARM) program, which allowed threat actors to run malicious code remotely.

Access Rights Manager (ARM) is a piece of software designed to help organizations manage, monitor, and audit user access rights across their IT systems.

In a security advisory, SolarWinds said ARM was vulnerable to a “deserialization of untrusted data remote code execution flaw,” which essentially means that the software was not validating user-supplied data properly. That data, if malicious, could be abused in cyberattacks.

Patch available

The bug is tracked as CVE-2024-28991, and has a severity rating of 9.0/10 (critical). It was first spotted by security researchers from Trend Micro’s Zero Day Initiative (ZDI), The Hacker News reports, who gave it a 9.9 severity rating. One of the reasons is because of poor authentication practices: "Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed," the ZDI said.

If you are using ARM, you should make sure you’re running version 2024.3.1. SolarWinds says there is no evidence that the flaw is being abused in the wild, but is still advocating caution and advising users to patch without delay.

Although SolarWinds is a major IT services provider, popular among enterprises, it rose to infamy back in 2020 when an upcoming patch for one of its products was compromised by ransomware hackers. Unknowingly, the company pushed a tainted update to countless customers, compromising many of them in the process, and resulting in sensitive data being stolen from dozens of high-profile organizations.

Last year, the US Securities and Exchange Commission (SEC) decided to sue SolarWinds for the incident, claiming its executives knew about its security shortcomings. Instead of notifying investors and users, the lawsuit alleges, the execs kept the information for themselves and even tried to convince everyone of the opposite.

Via The Hacker News

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.