SolarWinds has recently fixed two security flaws in its Access Rights Manager (ARM) software. One of the vulnerabilities, known as CVE-2024-28991, is critical with a high rating of 9.0 on the CVSS scoring system. This flaw involves deserialization of untrusted data which could lead to remote code execution.
The company explained in an advisory that “SolarWinds Access Rights Manager (ARM) was found to be vulnerable to a remote code execution flaw.” The flaw was discovered and reported by security researcher Piotr Bazydlo of Trend Micro Zero Day Initiative on May 24, 2024. Another medium-severity vulnerability, identified as CVE-2024-28990, was also fixed in ARM.
The ZDI assigned a CVSS score of 9.9 to the first vulnerability, highlighting a flaw in a class called JsonSerializationBinder due to lack of proper validation of user-supplied data. SolarWinds has released ARM version 2024.3.1 to address these issues and urges users to update to the latest version for protection against potential threats.
In a similar vein, D-Link has also addressed critical vulnerabilities affecting certain routers (CVE-2024-45694, CVE-2024-45695, and CVE-2024-45697) that could lead to remote execution of arbitrary code and system commands.
